This is the accessible text file for GAO report number GAO-06-91
entitled 'Risk Management: Further Refinements Needed to Assess Risks
and Prioritize Protective Measures at Ports and Other Critical
Infrastructure' which was released on January 17, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
December 2005:
Risk Management:
Further Refinements Needed to Assess Risks and Prioritize Protective
Measures at Ports and Other Critical Infrastructure:
GAO-06-91:
GAO Highlights:
Highlights of GAO-06-91, a report to Congressional Requesters:
Why GAO Did This Study:
Congress and the President have called for various homeland security
efforts to be based on risk management—a systematic process for
assessing threats and taking appropriate steps to deal with them. GAO
examined how three Department of Homeland Security components were
carrying out this charge:
* the Coast Guard, which has overall responsibility for security in the
nation’s ports;
* the Office for Domestic Preparedness (ODP), which awards grants for
port security projects; and
* the Information Analysis and Infrastructure Protection Directorate
(IAIP), which has responsibility for developing ways to assess risks
across all types of critical infrastructure.
GAO’s work focused on identifying the progress each DHS component has
made on risk management and the challenges each faces in moving
further.
What GAO Found:
The three DHS components GAO studied varied considerably in their
progress in developing a sound risk management framework for homeland
security responsibilities. The varied progress reflects, among other
things, each component’s organizational maturity and the complexity of
its task (see table below). The Coast Guard, which is furthest along,
is the component of longest standing, being created in 1915, while IAIP
came into being with the creation of the Department of Homeland
Security in 2003. IAIP, which has made the least progress, is not only
a new component but also has the most complex task—addressing not just
ports but all types of infrastructure. The Coast Guard and ODP have a
relatively robust methodology in place for assessing risks at ports;
IAIP is still developing its methodology and has had several setbacks
in completing the task. All three components, however, have much left
to do. In particular, each component is limited in its ability to
compare and prioritize risks. The Coast Guard and ODP can do so within
a port but not between ports; IAIP has not demonstrated that it can do
so either within or between all infrastructure sectors.
Each component faces many challenges in making further progress.
Success will depend partly on continuing to improve various technical
and management processes that are part of risk management. For example,
obtaining better quality data from intelligence agencies would help DHS
components estimate the relative likelihood of various types of
threats—a key element of assessing risks. In the longer term, progress
will depend increasingly on how well risk management is coordinated
across agencies, because current approaches in many ways are neither
consistent nor comparable. Also, weaving risk-based data into the
annual budget cycle of program review will be important. Supplying the
necessary guidance and coordination is what the Department of Homeland
Security was set up to do and, as the Secretary of Homeland Security
has stated, what it now needs increasingly to address. This is a key
issue for the department as it seeks to identify relative risks and
take appropriate actions related to the nation’s homeland security
activities.
Progress in Risk Management Is Affected by Organizational Maturity and
Complexity of Risk Management Task
[See PDF for image]
Source: GAO.
[End of table]
What GAO Recommends:
This report contains many recommendations aimed at helping the three
components face their next risk management challenges. DHS, including
the Coast Guard, ODP, and IAIP, generally concurred with the report and
its recommendations. DHS said that all three components have actions
under way to address many of the recommendations in this report.
www.gao.gov/cgi-bin/getrpt?GAO-06-91.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Margaret Wrightson at
(415) 904-2200 or wrightsonm@gao.gov.
[End of section]
Contents:
Letter:
Executive Summary:
Background:
Results in Brief:
Principal Findings:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Chapter 1: Introduction Risk Management Is a Key Tool for Homeland
Security:
Chapter 2: The Coast Guard Has Made Progress in Using Risk Management,
but Challenges Remain:
Chapter 3: Stronger Risk Management Approach Could Improve the
Accountability of the Port Security Grant Program:
Chapter 4: IAIP Faces Challenges in Meeting Risk Management
Responsibilities across All Sectors of the Nation's Infrastructure:
Chapter 5: Overall Observations and Recommendations:
Appendix I: A Risk Management Framework:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contacts and Staff Acknowledgments:
Related GAO Products:
Tables:
Table 1: Examples of Risk Management in the Private and Public Sectors:
Table 2: Summary of Progress Made and Challenges That Remain in the
Coast Guard's Risk Management Approach:
Table 3: Port-Level Assessments Conducted by the Coast Guard:
Table 4: National-Level Assessments Conducted by the Coast Guard:
Table 5: Examples of Data-Related Challenges in Coast Guard Risk
Assessments:
Table 6: Summary of Progress and Challenges in the Port Security Grant
Program:
Table 7: Examples of Data-Related Challenges in ODP Risk Assessments:
Table 8: Examples of Changes in Funding Decisions:
Table 9: Summary of Progress Made and Challenges That Remain in IAIP's
Risk Management Approach:
Table 10: Critical Infrastructure Sectors and Lead Federal Agencies:
Table 11: A Risk Management Framework:
Figures:
Figure 1: Risk Management Framework:
Figure 2: A Framework for Risk Management:
Figure 3: Facilities at One of the Nation's Major Ports:
Figure 4: Sources of Evaluation Criteria Associated with Risk
Management Phases:
Abbreviations:
ASME: American Society of Mechanical Engineers:
CIP: critical infrastructure protection:
COSO: Committee of Sponsoring Organizations:
DHS: Department of Homeland Security:
HITRAC: Homeland Infrastructure Threat and Risk Analysis Center:
HSPD: Homeland Security Presidential Directive:
IAIP: Information Analysis and Infrastructure Protection Directorate:
IG: Inspector General:
MARAD: Maritime Administration:
MSRAM: Maritime Security Risk Analysis Model:
MTSA: Maritime Transportation Security Act:
NADB: National Assets Database:
NIPP: National Infrastructure Protection Plan:
ODP: Office for Domestic Preparedness:
OMB: Office of Management and Budget:
PS-RAT: Port Security Risk Assessment Tool:
PWCS: Ports, Waterways, and Coastal Security:
RAMCAP: Risk Analysis and Management for Critical Asset Protection:
TSA: Transportation Security Administration:
United States Government Accountability Office:
Washington, DC 20548:
December 15, 2005:
The Honorable Henry A. Waxman:
Ranking Minority Member:
Committee on Government Reform:
House of Representatives:
The Honorable C. A. Dutch Ruppersberger:
House of Representatives:
The threat of terrorism presents a number of risks to our nation's
seaports and other types of critical infrastructure. The Department of
Homeland Security (DHS) has three components responsible for the
security of critical infrastructure related to ports and other
facilities. The U.S. Coast Guard has responsibility for port security
overall. The Office for Domestic Preparedness (ODP) is responsible for
providing port security grants to selected maritime facility owners.
The Information Analysis and Infrastructure Protection (IAIP)
Directorate is responsible for working with other federal, state,
local, and private organizations to identify and protect critical
infrastructure across the nation. Risk management is a tool for
assessing risks, evaluating alternatives, making decisions, and
implementing and monitoring protective measures. This report provides
an evaluation of the progress made, and challenges faced, by the Coast
Guard, ODP, and IAIP in using risk management to improve homeland
security.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will provide copies of this
report to appropriate departments and interested congressional
committees. This report will also be available at no charge on the GAO
Web site at http://www.gao.gov.
If you or your staff have any questions about this report, please
contact me at (415) 904-2200 or at wrightsonm@gao.gov. Key contributors
to this report are listed in appendix III.
Sincerely yours,
Signed by:
Margaret T. Wrightson:
Director, Homeland Security and Justice Issues:
[End of section]
Executive Summary:
Risk management, a strategy for helping policymakers make decisions
about assessing risks, allocating resources, and taking actions under
conditions of uncertainty, has been endorsed by Congress and the
President as a way to strengthen the nation against possible terrorist
attacks. Risk management has long been used in such areas as insurance
and finance, but its application to domestic terrorism has no
precedent. Unlike storms and accidents, terrorism involves an adversary
with deliberate intent to destroy, and the probabilities and
consequences of a terrorist act are poorly understood and difficult to
predict. The size and complexity of homeland security activities and
the number of organizations involved--both public and private--add
another degree of difficulty to the task. The task of managing this
complexity centers on the Department of Homeland Security, which since
its inception in March 2003 has been faced with the challenge of
transforming 22 agencies into an organization that can plan, manage,
and carry out operations effectively. Congress likewise has a key
oversight role to play in ensuring that DHS's course regarding risk
management reflects a consensus as to the most prudent and cost-
effective course of action.
To assist Congress in its oversight, this report focuses on the
progress made by three DHS components in applying risk management to
homeland security activities and the challenges each component faces in
moving further ahead. For two of these components, GAO's review dealt
specifically with their risk management activities at the nation's
seaports, while the review for the third component encompassed a wider
range of infrastructure. GAO decided to focus a considerable amount of
this review on seaport security because seaports have been viewed as
potential terrorist targets or as conduits for importing a weapon of
mass destruction or where terrorists may enter the country. GAO's focus
on these three components, while not a comprehensive look across the
entire department, provides perspective on the degree of progress made
thus far. Risk management has applications for deliberate acts of
terror as well as natural disasters, such as hurricanes and
earthquakes. GAO's research, which was conducted prior to Hurricane
Katrina, focused on preparations for terrorist attacks, not natural
disasters. The three components GAO studied are:
* the Coast Guard, the lead federal agency for port security and the
agency responsible for developing and coordinating various risk-based
assessments of critical infrastructure in and around ports;
* the Office for Domestic Preparedness, administrator of the port
security grant program, has awarded more than half a billion dollars in
federal grants to owners and operators of port facilities and vessels;
and:
* the Information Analysis and Infrastructure Protection Directorate,
which has been charged with establishing uniform policies, approaches,
guidelines, and methodologies for integrating infrastructure protection
and risk management activities within and across key sectors, such as
energy, defense, and transportation, including airports, railroads, and
ports.[Footnote 1]
Besides describing the progress of and challenges for each component,
this report also presents GAO's observations about what the three
components' efforts indicate collectively, both with regard to how far
the department has come in managing homeland security efforts on the
basis of risk and what steps could help advance the current level of
progress.
Background:
Seaport security receives particular attention in this report because
seaports are widely viewed as representing attractive terrorist
targets, in part because of their importance to the economy. More than
95 percent of the nation's non-North American foreign trade (and 100
percent of certain commodities, such as foreign oil) arrives by ship.
The estimated economic consequences of a successful attack and
resulting shutdown of this system total billions of dollars. Ports also
represent attractive targets because they contain a myriad of
vulnerabilities. In all, the nation's 300-plus ports have about 3,700
cargo and passenger terminals. Chemical factories, oil refineries,
power plants, and other facilities are often located in port areas and
add another set of possible targets. Roads crisscross many ports,
allowing access by land as well as by water, and the number of people
working in or traveling through ports is in the millions. The Coast
Guard has the major responsibility for seaport security, and the port
security grant program administered by ODP adds to the resources
available for port security projects.
Relative to the Coast Guard and ODP, IAIP's homeland security
responsibilities are by far the widest-ranging. The Homeland Security
Act of 2002 and Homeland Security Presidential Directive 7 (HSPD-7)
charge IAIP with establishing a risk management framework across the
federal government to protect the nation's critical infrastructure and
key resources.[Footnote 2] The scope of this effort is immense, and the
effort is one of IAIP's central responsibilities. IAIP's task
ultimately involves developing an approach that can inform decisions on
what the nation's antiterrorism priorities should be and identifying
what strategies and programs will do the most good. IAIP's work is done
in a setting where numerous and substantial gaps in security remain,
but resources for closing these gaps are limited. More specifically,
IAIP is charged with examining and comparing relative risks associated
with a multitude of possible targets, ranging from specific structures
(such as dams, chemical plants, and nuclear power plants) to major
sectors of national infrastructure (such as the banking system,
computer networks, and water systems). IAIP is also responsible for
developing policies and guidance that other agencies can use in
conducting their own risk assessments.
While federal law and the presidential directive call for the use of
risk management in homeland security, little specific federal guidance
or direction exists as to how risk management should be implemented. To
provide a basis for analyzing component efforts, GAO developed a
framework for risk management based on industry best practices and
other criteria. This framework, shown in figure 1, divides risk
management into five major phases: (1) setting strategic goals and
objectives, and determining constraints; (2) assessing the risks; (3)
evaluating alternatives for addressing these risks; (4) selecting the
appropriate alternatives; and (5) implementing the alternatives and
monitoring the progress made and results achieved. For all three
components, GAO applied this framework after conducting a wide range of
interviews with officials, reviewing plans and activities of the three
components, and visiting port locations. As part of our work, GAO
briefed officials of the three components about the various phases of
the framework and the officials generally agreed with its structure and
intent. The application of risk management to homeland security is
relatively new, and the framework will likely evolve as processes
mature and lessons are learned.
Figure 1: Risk Management Framework:
[See PDF for image]
[End of figure]
Results in Brief:
Of the three components GAO reviewed, the Coast Guard had made the most
progress in establishing a foundation for using a risk management
approach; its next challenges are to further refine and enhance its
approach. While the Coast Guard has made progress in all five risk
management phases, its greatest progress has been made in conducting
risk assessments--that is, evaluating individual threats, the degree of
vulnerability, and the consequences of a successful attack. However,
the assessments are limited in their reliability and completeness, and
better coordination will be needed with the intelligence community so
that analysts can develop models that better assess the relative
probability of various threat scenarios. The Coast Guard has developed
the ability to compare and prioritize risks at individual. However, it
cannot yet compare and prioritize relative risks of various
infrastructure across ports. Other challenges include developing
performance measures to go along with the more general goals already
developed for the port security mission, further integrating risk into
the annual cycle of program and budget review, and developing formal
policies for reviewing and improving the implementation of a risk
management approach. The Coast Guard has actions under way to address
the challenges it faces in each risk management phase. Several of these
actions are based, in part, on briefings GAO held with agency
officials.
ODP has made progress in applying risk management to the port security
grant program, but like the Coast Guard, it also faces challenges
across all phases of the risk management framework. For example, ODP
has set broad risk management goals and has placed more emphasis on
using risk-based data in its assessments, but it lacks performance
measures showing what specific outcomes the program aims to achieve,
and it still faces challenges in such matters as comparing grant
applications across ports. The grant awards for fiscal year 2004 also
illustrate some of the challenges in ensuring that criteria for making
the awards are transparent and consistent. At the end of what was, in
part, a risk-based assessment process, ODP changed the criteria for
awarding grants when it decided to give lower priority to applicants
from large companies on the assumption that the companies were better
able than other entities to pay for their own improvements. This
changed 40 percent of the grants awarded, as projects with higher risk
but greater potential for self-funding gave way to lower-risk projects
with more limited funding prospects. In the procedures for fiscal year
2005 awards, ODP clarified the criteria it would use in making the
awards.
IAIP, which has the broadest risk management responsibilities of the
three components and faces the greatest challenges, has made the least
progress in carrying out its complex risk management activities. Its
efforts are aligned with high-level strategic goals, but ways to
measure performance in achieving these goals have yet to be developed.
IAIP is not as far along as ODP and the Coast Guard in conducting risk
assessments. While IAIP has provided input to ODP for its risk
assessment efforts, IAIP's risk assessment responsibilities span much
broader sectors of the nation's infrastructure than seaports alone,
making its assessment activities more difficult. This difficulty is
reflected in the limited progress made. With regard to its risk
assessment responsibilities, IAIP has yet to successfully (1) develop
data to determine the relative likelihood of various threat scenarios,
(2) complete a methodology for comparing and prioritizing key assets,
or (3) meet requirements set forth in HSPD-7 for issuing policies and
guidance that other agencies can use in conducting their own risk
assessments. For example, a DHS consultant issued a risk assessment
methodology in 2004 for collecting data from industry, but adverse
comments from reviewers have led to revisions that are still under way.
IAIP is also challenged in its ability to translate these assessments
into specific measures to be taken, because after IAIP makes decisions
about what national priorities should be, it is dependent on the
actions of others to carry them out. This is particularly true with
regard to private sector assets where IAIP needs collaboration from the
owners and operators of private sector infrastructure and their
regulators.
GAO made four main observations regarding the experience of these three
components.
* A considerable degree of effort has been expended thus far, but much
work remains to be done. This is particularly true in viewing risk
management strategically--that is, with a view that goes beyond just
assessing what the risks are and also integrating the consideration of
risk into the annual cycle of program and budget review that is already
in place.
* The varying degree of progress among the three components tends to
reflect several characteristics of each component--how long it has been
at the task of developing a risk management approach, how long it has
existed as a component and is therefore able to function maturely, and
how complex its risk management task is. For example, IAIP, which has
made the least progress, is not only a new component established in
2003, but also has the most complex risk-related tasks of the three
components--addressing risk not only at ports, but across all types of
infrastructure and with multiple federal agencies and nonfederal
stakeholders.
* In the near term, all three components' success in risk management
will depend partly on continuing to make progress on the challenges
described above. This involves continuing to work on such matters as
performance measures, basic policies, and enhancements to existing risk
assessment tools.
* The final observation is related to a critical longer-term need: more
guidance and coordination from the department level, both to help
ensure that individual components such as IAIP are carrying out their
roles effectively and to ensure that the various responses from
individual components mesh as effectively as possible with one another.
In comparing the approaches developed by the three components, GAO
noted ways in which their efforts were not consistent. The danger is
that if components develop systems and methodologies that are
inconsistent, they may end up with incompatible systems that have
little or no ability to inform spending decisions on homeland security.
The challenges associated with creating a department that can
effectively administer a coherent risk management approach to the
nation's homeland security have been widely acknowledged. IAIP
recognizes that as DHS's individual components begin to mature in their
risk management efforts, the need increases for ensuring consistency
and coherence in these efforts. Supplying this necessary guidance and
coordination is what DHS was set up to do.
Principal Findings:
Coast Guard Has Made Progress in Using Risk Management, but Challenges
Remain:
The Coast Guard has made progress across all five phases of risk
management. In the first phase (goal and objective setting), the Coast
Guard has established broad strategic goals for port security,
including, in order of priority: (1) preventing terrorist attacks
within, and terrorist exploitation of, the maritime domain and (2)
reducing America's vulnerability to terrorism in the maritime domain.
It faces challenges in developing objectives that translate these goals
into more specific and measurable results. Coast Guard officials
recognize that developing performance measures is a necessary next step
and have actions under way to develop such measures.
For the second phase, assessing risks, the Coast Guard has greatly
expanded the scope of its risk assessment activities since the
terrorist attacks of September 11, 2001. It has conducted three major
security assessments at the port level, and collectively these
assessments have resulted in considerable progress in understanding and
prioritizing risks within a port. After it initiated port-level
assessments, the Coast Guard expanded its analysis efforts to the
national level to gain a more strategic perspective on port security.
In all, the Coast Guard has conducted three major efforts at the
national level, focusing more generally on understanding the risk posed
to various classes of assets (such as bridges or container ships) by
various types of attacks (such as using explosives or weapons of mass
destruction). The assessments are limited in their reliability and
completeness, however, in the degree to which the Coast Guard has (1)
formal and systematic input from the intelligence community for
modeling relative probability and likelihood of threat scenarios and
(2) risk assessment tools allowing comparison and prioritization of
specific infrastructure across ports. These limitations affect the
degree to which the Coast Guard is able to determine how best to focus
its attention on these threats that, from a national perspective, pose
the greatest risk within the seaport sector. The Coast Guard has
initiated actions to address these challenges. For example, the agency
has initiated contact with the intelligence community to obtain better
data on threat scenarios, and it plans to complete development of an
assessment tool that will compare the relative risks of high-value
assets at one port with risks of assets in a different port.
Enhancing these first two phases of risk management is key to making
additional progress on the next two phases--evaluating and selecting
alternatives that reduce risk. While the Coast Guard's efforts have
resulted in progress in identifying and evaluating alternatives at the
individual port level, the lack of measurable objectives and sufficient
information to fully depict threats, vulnerabilities, and consequences
limits the ability to target the areas with the greatest gaps or
produce the most cost-effective decisions. Similarly, buttressing
annual budget review cycles with risk-based data is in its early
development and more work remains to be done. Finally, with regard to
the fifth phase--implementation and monitoring--the Coast Guard has
implemented a number of activities to mitigate risks and has
demonstrated the ability to evaluate its efforts and make improvements.
The actions taken have included establishing maritime intelligence
centers on the Atlantic and Pacific coasts and working closely with
nonfederal stakeholders to reduce vulnerabilities in and around
facilities and vessels. However, existing feedback mechanisms are
insufficient to ensure that Coast Guard field personnel can make their
headquarters managers aware of ways to improve the process. The Coast
Guard recognizes the value of formal feedback loops as a means of
improving its risk management processes, and it has plans to obtain
formal feedback as part of its future efforts.
ODP's Port Security Grant Program Illustrates Both Progress and
Challenges in Implementing Risk Management:
Like the Coast Guard, ODP has made progress across all five phases of
risk management. For example, for the first phase, it has set risk
management goals that support broader maritime goals, such as
protecting critical infrastructure in harbors, borders, ports, and
coastal approaches. ODP has not begun to translate these broad goals
into measurable objectives. Without them, it is difficult to know what
progress has been made in reducing risk and what security gaps remain.
ODP has carried out risk assessments, with input from the Coast Guard
and IAIP, and evaluated mitigation alternatives--the second and third
phases of the framework--to help determine which ports should receive
priority for grants. Using risk assessments, ODP narrowed the number of
ports eligible for grants from 129 to 66 for fiscal year 2005. Other
recent steps include placing greater emphasis on using threat,
vulnerability, and consequence data in prioritizing grant applications.
Along with this progress, however, are several methodological
challenges that limit such things as the usefulness of data received
from intelligence agencies and ODP's ability to compare and prioritize
risks among ports. For example, without data on the relative
probability of various threat scenarios from the Coast Guard or IAIP,
ODP may not target the most significant security needs. ODP has not yet
developed approaches for addressing most of these challenges.
While ODP has also made progress in developing a risk-based grant
selection process and mechanisms to monitor what the grants accomplish,
grant awards for fiscal year 2004 illustrate the challenges involved in
actually making risk-based decisions. At the end of its process for
determining which grants to fund, based in part on risk, ODP decided to
give lower priority to grants involving projects at large companies, on
the assumption that the companies were better able than other entities
to pay for their own improvements. For example, one chemical company's
application for $225,000 to purchase cameras, fencing, and barricades
was initially ranked 25th out of 287 applications nationwide, but under
the revised priorities its ranking fell to 236th. Projects initially
ranked much lower received funding instead. For example, an application
initially ranked as 279th out of 287 was approved for funding. In all,
the application of non-risk criteria changed 40 percent of the grants
awarded. ODP's changes affected the transparency and consistency of the
awards process, in that (1) the criteria under which applications were
submitted and initially considered were changed at the end of the
process, and (2) the role of risk in evaluating the applications was
obscured, because the resulting awards may not have addressed the most
severe security gaps. Additionally, there is no guarantee that large
companies would spend their own funds for security improvements, and it
is unclear whether there are incentives, such as minimum standards for
security, that would motivate them to do so. ODP issued revised
criteria for fiscal year 2005 grants, and in doing so has made the
process more transparent and consistent.
IAIP's Progress in Carrying Out Risk Management Has Been Limited:
IAIP's progress in all five phases of risk management has been limited.
It has made some progress in developing goals, having issued an Interim
National Infrastructure Protection Plan in February 2005 that
identifies a strategy for identifying, prioritizing, and coordinating
the protection of critical infrastructure and key resources.[Footnote
3] The interim plan provides some guidance in meeting IAIP's broad
responsibilities for identifying, comparing, and prioritizing critical
assets, but it is not a comprehensive document, and IAIP faces several
challenges in making it more comprehensive. These challenges are
related to (1) developing performance measures that can be used in
evaluating progress and (2) establishing milestones and time frames for
processing and prioritizing assets across the many different
infrastructure sectors.
IAIP's progress in risk assessment--the second phase of risk
management--has been limited in several main respects. For example,
IAIP has experienced difficulties in carrying out requirements of the
Homeland Security Act of 2002 that charged IAIP with the responsibility
of conducting risk assessments of critical infrastructure and key
resources to determine the risks of particular types of terrorist
attacks. IAIP's original methodology for this task, called the Risk
Analysis and Management for Critical Asset Protection, required
extensive modification after its initial issuance in April 2004. IAIP
now views it as a tool for engaging industry in a risk management
dialogue with government. In September 2005, IAIP officials said they
are developing a National Comparative Risk Assessment to meet the
immediate need of examining risks within and across sectors, and they
plan to complete an interim assessment by the end of 2006. Challenges
to carrying out this timetable include the need to obtain key
information from other federal agencies and the fact that IAIP still
needs to award the contract for this effort. One specific issue is the
approach IAIP has taken in assessing the probability of various threat
scenarios. The Homeland Security Act calls on IAIP to assess the
probability of success of terrorist attacks, and during the course of
GAO's review, IAIP officials said they recognize the importance of
assessing the relative likelihood of an attack in meeting this
requirement. IAIP officials said that the lack of intelligence analysis
and data on such things as the capability and intent of terrorist
groups hinders their ability to assess probability, but that work is
under way in this regard. IAIP officials also pointed out that some
inaccuracy is to be expected in examining the intent and capability of
an adversary whose plans are concealed and that it will be important to
reduce the potential of low-confidence assessments having undue
influence when long-term investment decisions are made.
IAIP's progress in the three other phases of risk management
(evaluating alternatives, selecting a solution, and implementing and
monitoring that solution) will remain limited, in part because of the
points just discussed--performance goals and a complete risk assessment
methodology are not in place. Beyond these limitations, however, IAIP
faces additional challenges. For example, IAIP's role in selection,
implementation, and monitoring is further complicated because in many
instances, other entities have primary responsibility for selecting the
solution. For example, other agencies, such as the Department of
Defense or the Department of Energy, have primary responsibilities for
some of the infrastructure sectors covered in IAIP's assessments.
Additionally, much of the critical infrastructure is owned or operated
by private industry, and while IAIP does not have authority over them,
other federal agencies do have authority over infrastructure in
specific sectors. This condition highlights the importance of
coordination between IAIP and agencies with such regulatory authority.
For example, the Nuclear Regulatory Commission, which issues licenses
to nuclear power plants, has regulatory authority over security matters
at these facilities. IAIP officials said they use their expertise and
powers of persuasion to bring about specific actions but in most cases
cannot compel others to adopt IAIP's recommendations.
Overall Observations:
A great amount of effort has been applied. However, much more remains
to be done than has been accomplished so far. Across all three
components, the most progress has generally been made on fundamental
steps, such as conducting risk assessments of individual assets, and
less progress has generally been made on developing ways to translate
this information into comparisons and priorities across ports and
across infrastructure sectors, or applying it to new programs. Progress
among the three components' efforts has been far from consistent and
has tended to vary not only with the length of time the component has
been using a risk-based approach, but also with the component's own
maturity level and the complexity of its risk management task.
With regard to next steps that would appear to add the most value to
making further progress, one key observation is that in the short term,
progress is heavily dependent on continuing to improve basic policies,
procedures, and methods for applying risk management. Each component
has an admittedly difficult set of challenges ahead, but progress has
to be built on taking these incremental steps and doing them well. An
area that needs further attention by all three entities is working with
intelligence communities to develop improved analysis and data so that
the relative probability of various threat scenarios can be further
developed.
The final observation is that in the longer term, progress will become
increasingly dependent on how well the entire risk management effort is
coordinated. While absolute compatibility among all components' efforts
is likely impossible, even with components working in close
cooperation, strong coordination is important to help ensure that
component efforts are consistent rather than stovepiped. The risk
management efforts GAO examined appeared to be fueled by a strong
concern to make some headway, with coordination and interagency
consistency a lesser concern. For example, the Coast Guard initiated
efforts to set up a methodology for assessing and specifying risks
before IAIP was created; and in the view of IAIP officials, it was
important to proceed even though they recognized that doing so might
lead to approaches that would not mesh cleanly with the approach IAIP
would eventually develop. That approach appeared prudent in the short
term, in that if the Coast Guard had waited to begin until guidelines
had been set, it would still be waiting. Now, however, the need for
coordination is looming larger, and coordination is essential to the
success of efforts over time. Some of this coordination needs to come
from IAIP, which is required under presidential directive to issue
guidelines for other agencies to use, but it has yet to do so. Beyond
IAIP, DHS has an active role in this regard. This is a key issue for
the department as it moves from being an organization that is
essentially in its early stages to one that is increasingly being
expected to respond in a way that is more organizationally mature.
Since 2003, GAO has designated the implementation and transformation of
DHS as high risk because of the numerous challenges in transforming 22
agencies into one department and the serious implications of failure.
Translating the concept of risk management into applications that are
consistent and useful represents one of these challenges, and failure
to effectively address this could have serious consequences for
homeland security. In risk management, which the department has
embraced as the guiding principle behind its policies and operations,
IAIP's role is to act as an intra-agency and interagency coordinator of
homeland security activities. Doing so will strengthen its ability to
weigh risks and inform the decisions made across the homeland security
responsibilities of the many agencies involved.
Recommendations for Executive Action:
GAO is making a number of specific recommendations to the Secretary of
DHS with regard to the challenges faced by the three components. These
recommendations, listed specifically at the end of the relevant
chapters, cover such matters as developing performance goals and
measures, improving risk assessment methodologies, working with
intelligence communities to develop better data for risk assessment
purposes, and (for IAIP) developing guidance for other agencies to use
in evaluating risk and considering risk mitigation alternatives.
Agency Comments and Our Evaluation:
We provided DHS a draft of this report for its review and comment. DHS,
including the Coast Guard, ODP, and IAIP, generally agreed with our
findings and recommendations. For instance, DHS said that each DHS
component we reviewed has actions under way to address recommendations
made in the report. The comments from each component are summarized at
the end of the relevant chapters. In addition to commenting on our
findings and recommendations, DHS provided technical comments under
separate cover, and we revised the draft report where appropriate.
Written comments from DHS are reprinted in appendix II.
[End of section]
Chapter 1: Introduction: Risk Management Is a Key Tool for Homeland
Security:
This is a report about the nation's progress in applying risk
management to key aspects of homeland security. Risk management is a
widely endorsed strategy for helping policymakers make decisions about
allocating finite resources and taking actions in conditions of
uncertainty. It has been widely practiced for years in such areas as
insurance, construction, and finance. By comparison, its application in
homeland security is relatively new--much of it coming in the wake of
the terrorist attacks of September 11--and it is a difficult task with
little precedent. The goals for using it in homeland security include
informing strategic decisions on ways to reduce the likelihood that
adverse events will occur, and mitigate the negative impacts of and
ensure a speedy recovery from those that do. Achieving these goals
involves making policy decisions about what the nation's homeland
security priorities should be--for example what the relative security
priorities should be among seaports, airports, and rail--and basing
spending decisions on what approaches or strategies will do the most
good at narrowing the security gaps that exist. Risk management has
been widely supported by the President and Congress as a management
approach for homeland security, and the Secretary of the Department of
Homeland Security has made it the centerpiece of agency policy.
"Homeland security" is a broad term with connotations that resonate
from the September 11 attacks and other connotations that now resonate
from the disaster brought on by Hurricane Katrina in August 2005. Risk
management has applications for deliberate assaults like the September
11 attacks and natural disasters, such as hurricanes and earthquakes.
Our research was completed and the report largely written before
Hurricane Katrina struck. Thus, our work concentrated on components'
actions in response to terrorism.
This report examines how three DHS components have applied risk
management to certain aspects of their homeland security
responsibilities. The three components are the United States Coast
Guard, the Office for Domestic Preparedness, and the Information
Analysis and Infrastructure Protection Directorate. This report looks
at risk management efforts of the Coast Guard and ODP specifically
related to seaport security, and for IAIP, it looks at risk management
efforts related to IAIP's broader responsibilities in assessing
terrorist threats against all aspects of the nation's
infrastructure.[Footnote 4]
Risk Management Has a Long History of Use in Industry and Government:
Risk management can be described as the continuous process of assessing
risks, reducing the potential that an adverse event will occur, and
putting steps in place to deal with any event that does occur.[Footnote
5] It has been used in the private and public sectors for decades (see
table 1 for examples). For example, insurance companies use a variety
of statistical techniques to assess the level of risk for what they are
insuring. Within government, agencies use risk management to set
regulations and to protect the environment and the health and safety of
American taxpayers. Although some risk management methodologies and
processes can be complex and may require expert advice and support,
other aspects of risk management--such as setting goals and using
performance measures to track progress in meeting them--are well
understood and widely practiced.
Table 1: Examples of Risk Management in the Private and Public Sectors:
Private sector examples:
Type of application: Insurance;
How risk management is used: Insurance companies evaluate risks when
insuring businesses and homeowners against natural disasters. They
assess the probability of natural disasters, such as hurricanes and
earthquakes, based on past history and the costs resulting from the
damage caused or the lives lost. On the basis of analysis such as this,
companies set policies and costs that apply to businesses and
homeowners.
Type of application: Engineering;
How risk management is used: Engineering firms have analyzed risks
related to safety and security when designing chemical plants, nuclear
reactors, or bridges. Using risk analysis techniques, they examine the
possible threats to the safety and security of the structure and
evaluate ways to address the threat by considering various design
features that could reduce vulnerabilities or consequences. One example
is designing double-hulled oil tankers to reduce the risk of an Exxon
Valdez type oil spill.
Type of application: Banking and finance;
How risk management is used: Banks and financial institutions assess
risks associated with various investment options. For example, spending
funds on overseas investments could involve assessing political,
social, and financial risks as well as the potential market share that
could be gained. Assessments such as these inform decisions on where
and whether capital should be invested.
Public sector examples:
Type of application: Food and Drug Administration;
How risk management is used: The Food and Drug Administration assesses
risk associated with diseases related to various types of food. It
examines whether diseases are linked to types of fish and dairy goods.
It examines the types and costs of health problems that may occur and
it recommends and sets policies or regulations aimed at improving food
safety.
Type of application: Environmental Protection Agency;
How risk management is used: The Environmental Protection Agency
analyzes health risks caused by toxic chemicals, emissions from
vehicles, and other sources of pollution. It examines the extent to
which such pollutants may cause health problems and it sets and
recommends policies or regulations to minimize the risk to the public.
Type of application: Department of Defense;
How risk management is used: The Department of Defense uses a risk
management approach to protect its forces. For example, it has used
risk management to identify threats and vulnerabilities, and determine
which assets are the most critical and to make management decisions on
how to make its bases and related facilities more secure.
Source: GAO.
[End of table]
Application of Risk Management to Homeland Security Is Widely Endorsed
and Accepted:
Risk management was part of the nation's approach to assessing
terrorism before the events of September 11. For example, in the 1990s,
the Defense Special Weapons Agency assessed risks to evaluate force
protection security requirements for mass casualty terrorist incidents
at military bases. Companies under contract to federal agencies such as
the Department of Energy, the National Security Agency, and the
National Aeronautics and Space Administration used risk assessment
models and methods to identify and prioritize security requirements.
The Federal Aviation Administration and the Federal Bureau of
Investigation did joint threat and vulnerability assessments on
airports determined to be high risk. When we reviewed two of these
efforts in the late 1990s, we found a lack of formal risk assessment
requirements and made several recommendations to integrate risk-based
data into decision-making processes.[Footnote 6]
What September 11 changed was the intensity and magnitude of this task.
The September 11 attacks were clearly a transformational event for the
nation, in that they called attention to vulnerabilities throughout the
nation's infrastructure, not just in aviation security. While there
might always have been a concern, for example, about the consequences
of an accident in a chemical factory in a highly populated area, now,
these consequences had to be viewed not just from the standpoint of a
potential accident, but as something a terrorist could exploit.
Potential targets multiplied, and the scope of work to be done became
much greater. Homeland security spending rose from about $21 billion in
fiscal year 2001 to a proposed $50 billion in fiscal year 2006.
Risk management has received widespread support and interest from
Congress, the President, and the Secretary of DHS as a tool that can
help set priorities on how to protect the homeland. In this setting,
numerous and substantial gaps in security exist, but resources for
closing these gaps are limited and must compete with other national
priorities. Policymakers in the legislative and executive branches have
endorsed risk management as a technique that can inform decisions on
setting relative priorities and on making spending decisions.
In view of the widespread support that risk management has gained,
federal agencies are now required to assess risks. The Homeland
Security Act of 2002 calls for a comprehensive assessment of risk
related to vulnerabilities of critical infrastructure and key
resources, notably (1) the risk posed by different forms of terrorist
attacks, (2) the probability that different forms of an attack might
succeed, and (3) the feasibility and efficacy of countermeasures to
deter or prevent such attacks.[Footnote 7] Two congressionally
chartered commissions, the 9/11 Commission and the Gilmore Commission,
support the use of data on risks to help inform the difficult decisions
that must be made in allocating limited federal funds for security
measures. The President has issued policies directing the heads of
seven major departments or agencies to assess risks. The past and
present Secretaries of DHS have stated that actions of the department
will be guided through the use of risk management.
Department of Homeland Security Has Broad and Challenging
Responsibilities in Applying Risk Management:
Congress has charged DHS with lead responsibilities in carrying out or
coordinating homeland security programs and for applying risk
management in carrying out this responsibility. For two main reasons,
integrating a risk management approach into its business practices is a
major management challenge that faces DHS.
* First, relative to many other fields such as insurance or finance,
terrorism is a relatively new application for risk management. The
sources of the risk are intelligent adversaries with malevolent intent
with whom there is relatively little domestic experience. Unlike the
insurance or banking industries, which have extensive historical data
that are used to assess risks, DHS lacks such data on domestic
terrorism, and this limits any detailed analysis in assessing risk. As
a result, the probabilities and consequences of a terrorist act are
poorly understood and difficult to predict and greater reliance on
expert judgment is required. In January 2005, we identified risk
management as an emerging high-risk area. At that time, we noted that
DHS had not completed any risk assessments mandated by the Homeland
Security Act.[Footnote 8]
* Also, the size and complexity of homeland security activities add
another dimension of difficulty to the task. Since its inception in
March 2003, DHS has been faced with the challenge of transforming 22
agencies into one department in a way that results in an organization
with effective planning, management, and operations while carrying out
its critical mission of securing the homeland. Since 2003, we have
designated implementing and transforming DHS as high risk, because DHS
had to transform these many agencies--several with major management
challenges--into one department.[Footnote 9] Besides the challenge it
poses at the federal level, risk management also crosses jurisdictional
boundaries and involves state and local governments and private
industry stakeholders, and it requires a multidisciplinary approach
involving intelligence, law enforcement, strategic planning, and
program activities that address threats and vulnerabilities.
Within DHS, we examined the progress of three DHS components--the Coast
Guard, ODP, and IAIP--in administering risk management as part of their
management processes. Two of these components (Coast Guard and ODP)
have responsibilities related to seaport security. IAIP's
responsibilities are much broader and more difficult--it is responsible
for coordinating and assessing homeland risks across the federal
government. Here is an overview of the three components.
* The United States Coast Guard. The Coast Guard is the lead federal
agency for the security of the nation's ports. Its responsibilities
include protecting ports, the flow of commerce, and the maritime
transportation system from terrorism. As the lead in domestic maritime
security, the Coast Guard has a robust presence at the national,
regional, and port levels. The Coast Guard protects more than 300 ports
and 95,000 miles of coastline. By providing a secure environment, the
Coast Guard keeps maritime transportation open for the transit of
commercial goods, as well as assets and personnel from the armed
forces. In carrying out its mission, the Coast Guard has, among other
activities, conducted local and national assessments of security risks
at the nation's ports. The role of the Coast Guard in applying risk
management to port security is discussed in more detail in chapter 2.
* The Office for Domestic Preparedness. Within the Office of State and
Local Government Coordination and Preparedness, the Office for Domestic
Preparedness is responsible for administering federal homeland security
assistance programs for states and localities, including the port
security grant program. Since 2002, the program has awarded over $500
million in grants to state, local, and industry stakeholders to improve
security in and around their facilities or vessels. The role of ODP in
applying risk management to port security grants is discussed in more
detail in chapter 3.
* Information Analysis and Infrastructure Protection Directorate. The
Information Analysis and Infrastructure Protection Directorate is
responsible for, among other things, identifying and assessing current
and future threats to the homeland, mapping those threats against known
vulnerabilities, recommending protective measures, issuing warnings,
and offering advice on preventive and protective action. IAIP is
responsible for cataloging key critical infrastructure, then analyzing
various characteristics to prioritize this infrastructure for the
entire nation. These priorities are then to be used to direct
protective measures for port security as well as across all other kinds
of infrastructure. The role of IAIP in applying risk management to
ports and other infrastructure is discussed in more detail in chapter
4.
Seaports Are an Important Focus in the Homeland Security Response:
Seaport security receives substantial focus in this report because
seaports have been widely regarded as vulnerable to attack. One reason
is that the nation's seaports and inland waterways play a vital role in
the nation's economy and national security. From an economic
perspective, ports are critical links in the commercial trade and
transportation systems, with more than 95 percent of the nation's non-
North American foreign trade, including 100 percent of foreign oil,
entering the country through seaports. The range of commodities
involved includes not only a wide variety of consumer and agricultural
products, but also cargo considered dangerous such as liquefied
petroleum gas. A significant portion of this waterborne trade comes via
cargo containers that are expected to move in and out of ports quickly,
in keeping with industry expectations of just-in-time delivery. Port
facilities are also used to ship military cargo abroad, and the
Departments of Defense and Transportation have designated about 17
ports as "strategic" to support wartime mobilization, deployment, and
resupply. Finally, not only are ports key hubs in our transportation
system, they also function as centers of industrial, commercial, and
financial activity. As such, they are home to many assets that are
deemed to be among the nation's most critical infrastructure, which is
to be protected under the USA PATRIOT Act of 2001 and the Homeland
Security Act of 2002.
A second reason that seaports are potentially vulnerable is the wide
range of targets and attack possibilities they encompass. Facilities
such as container terminals, where containers are transferred between
ships and railroad cars or trucks, must be able to screen vehicles
entering the facility and routinely check cargo. Chemical factories and
other installations where hazardous materials are present must be able
to control access to areas containing dangerous goods or hazardous
substances. Vessels, ranging from oil tankers and freighters to
tugboats and passenger ferries, must be able to restrict access to
onboard areas, such as the bridge or other control stations critical to
the vessels' operation. Possible terrorist scenarios range from the use
of improvised explosive devices to attack ferries to the use of
recreational boats to ram key infrastructure in and around ports.
A Framework for Risk Management:
While there is a consensus that risk management should be applied to
homeland security programs, doing so is a complex task that has few
precedents and little specific guidance. The Homeland Security Act and
presidential directives have called for the use of risk management.
However, they did not define how risk management was to be
accomplished. Given that there are no established universally agreed
upon set of requirements or processes for risk management of homeland
security, we developed a framework that can be broadly applied to a
range of settings, such as analyzing security in the maritime sector
and other environments. We did so by gathering, reviewing, and
analyzing an extensive amount of public and private sector work;
interviewing experts from private consulting companies in the areas of
risk management and risk computer-modeling; interviewing experts on
terrorism; and utilizing our own past work in this area. We also
solicited comments and feedback from academic experts in risk
management. As part of our work, we briefed officials of the three DHS
components about the various phases of the framework, and the officials
generally agreed with its structure and intent. The application of risk
management to homeland security is relatively new, and the framework
will likely evolve as processes mature and lessons are learned.
The framework we developed is a conceptual synthesis of risk management
approaches that we use as criteria to assess the adequacy of DHS's risk
management systems (see fig. 2). For further information on the
framework and how we developed it, see appendix I.
Figure 2: A Framework for Risk Management:
[See PDF for image]
[End of figure]
This framework may be applied governmentwide and at various
organizational levels, from departmental down to individual programs.
The figure illustrates the cyclical nature of this approach, and while
the phases are generally linear, changes can be made at any step in the
process as new information becomes available. The five major phases of
risk management are detailed below.
Strategic Goals, Objectives, and Constraints:
According to the framework, management decisions are to be made in the
context of the organization's strategic plan, with clearly articulated
goals and objectives that flow from the plan. Performance measures that
are clear, concise, and measurable are linked to the broader goals and
can be used to measure progress toward these goals. An organization's
program and risk planning documents address risk-related issues that
are central to its mission.[Footnote 10] However, various constraints
can take many forms and have an impact on risk related strategies. For
example, some constraints may be imposed by statute, organizational
policy, or budget restrictions. Managers at different levels within an
agency or organization may encounter various constraints that differ
with the scale of the operation.
Risk Assessment:
Risk assessment helps decision makers identify and evaluate potential
risks facing key assets or missions so that countermeasures can be
designed and implemented to prevent or mitigate the effects of the
risks.[Footnote 11] In our framework, risk assessment is a function of
threat, vulnerability, and consequence. The product of these elements
is used to develop scenarios and help inform actions that are best
suited to prevent an attack or mitigate vulnerabilities to a terrorist
attack, in conjunction with the risk-based evaluation of alternatives
undertaken while considering cost and other factors.
* Threat is the probability that a specific type of attack will be
initiated against a particular target/class of targets. It may include
any indication, circumstance, or event with the potential to cause the
loss of or damage to an asset. It is based on an understanding of an
adversary's intention, motivation, history of attacks, and capability
to do damage. Analysis of threat-related data is a critical part of
risk assessment. Information for characterizing threat can be gained
from a variety of sources, such as the intelligence and law enforcement
community, as well as from past activities of various terrorist groups.
Understanding an underlying pattern of attacks on target types is
useful in predicting future terrorist events and planning mitigation
strategies. However, the unexpected threats not contained in the
historical record of terrorist groups also need to be considered.
Ultimately, one purpose of assessing threats is to assign relative
probabilities to various types of attacks.
* The vulnerability of an asset is the probability that a particular
attempted attack will succeed against a particular target or class of
targets. It is usually measured against some set of standards, such as
availability/predictability, accessibility, countermeasures in place,
and target hardness (the material construction characteristics of the
asset). Each of these four elements can be evaluated based on a
numerical assignment corresponding to the conditional probability of a
successful attack. The probability that a particular vulnerability
could be successfully exploited is, in part, a function of the
effectiveness of the antiterrorism countermeasures.
* The consequence of a terrorist attack is characterized as the
expected worst case or worse reasonable adverse impact of a successful
attack. The consequence to a particular asset can be evaluated when
threat and vulnerability are considered together. The outcome of a
terrorist attack may include many forms, such as the loss of human
lives, economic costs, and adverse impact on national security.
Another closely related element taken into consideration is criticality
(that is, the relative importance) of the asset involved. Criticality
involves the prioritization of assets based on factors such as the
potential for loss of life and the economic implications for the
livelihood, resources, or wealth of the area, region, or country if the
asset were to be lost. Layers of effective security countermeasures
increase the likelihood that a terrorist attack will be unsuccessful as
risk is reduced.
Alternatives Evaluation:
Risks can be reduced through various antiterrorism countermeasures or
countermeasure systems designed to prevent an attack or mitigate the
impact of an attack. Two concepts here are key to evaluating
countermeasure alternatives. The first is that countermeasures should
be evaluated against specific risk assessments to determine the extent
to which risks can be reduced by the countermeasure being considered.
The second concept is the role of costs to both public and private
sources, as costs are a critical element in the application of
countermeasures. In our framework, cost-benefit analysis is critical in
assessing alternatives, because it links the benefits derived from risk-
reducing alternatives to the costs associated with implementing and
maintaining them.
Management Selection:
Management selection in our framework is informed by the outputs in the
preceding phases. Having assessed risks and evaluated countermeasure
options, management selects the blend of intervention strategies and
activities across the entire spectrum of goals, objectives, and
components of risk that achieves the greatest expected risk reduction
in relation to cost for both the short and the long term among the
various proposed alternatives. However, the technical analysis of
alternatives is not likely to resolve or fully capture the numerous
elements of concern to management. Decision makers may employ various
risk-reducing strategies. However, preferences and value judgments will
influence decisions about which strategies to employ. For example,
corporate culture may influence decision makers to concentrate
countermeasures on a relatively few critical assets, while others may
value distributional impacts, that is, some organizations may be more
willing than others to distribute resources over a wider array of
assets. Management selection is an important task, and decisions are
made with the information that is available. Our guidelines for
effective internal controls dictate that once decisions are reached,
they, along with the rationales for them, should be documented in order
to inform future actions.
Implementation and Monitoring:
This phase in the framework involves the implementation of the selected
countermeasures. Following implementation, monitoring is essential in
order to help ensure that the entire risk management process remains
current and relevant, and reflects changes in the effectiveness of the
alternative actions and the risk environment in which it operates. It
is crucial to exploit any and all information sources, exercises,
gaming, modeling and simulation, analysis of real world events, and
sharing of information in a data sparse environment. Measurable
objectives show the degree to which activities, timelines, support
functions, service delivery, and spending are consistent with goals and
implemented in accordance with the planning process. Program evaluation
is an important tool for assessing the efficiency and effectiveness of
the program. In addition to simply monitoring the implementation of the
system and making adjustments, the entire risk management planning
process should be periodically revisited. Since technology and
information change at a rapid pace, countermeasures in place today may
be outdated tomorrow and may become more susceptible to being breached.
In addition, consultation with external subject area experts can
provide a current perspective and an independent review in the
formulation and evaluation of the program.
Objectives, Scope, and Methodology:
Our overall aim was to provide a perspective on how three DHS
components have applied risk management as it relates to homeland
security in general, or to port security in particular. More
specifically, this report addresses the following objectives:
* What progress has the Coast Guard made in applying risk management to
its port security mission, and what challenges does it face in moving
further?
* What progress has ODP made in applying risk management to its
administration of the port security grant program, and what challenges
does it face in moving further?
* What progress has IAIP made in applying risk management to comparing
and prioritizing critical infrastructure with one another and what
challenges does it face in moving further?
* Are there key observations that can be drawn from all three of these
efforts with regard to how far the three components have come in risk
management as it applies to terrorism?
To determine what progress the Coast Guard has made in applying risk
management to its port security mission and the challenges that it
faces, we met with Coast Guard officials responsible for port security
risk assessment efforts to discuss the progress they have made and the
challenges that remain. We discussed risk management efforts and
challenges with Coast Guard officials at four ports--Baltimore,
Maryland; Charleston, South Carolina; Houston, Texas; and Seattle,
Washington--who were responsible for risk management activities. We
judgmentally selected these ports because of their geographic
distribution, and the results from our interviews cannot be generalized
to ports nationwide. In addition, we reviewed documents of the Port
Security Assessment Program, the Port Security Risk Assessment Tool,
Area Maritime Security Plans, the National Risk Assessment Tool, the
National Maritime Security Profile, and the National Maritime Strategic
Risk Assessment. We also reviewed key legislation such as the Maritime
Transportation Security Act of 2002 and prior GAO reports on maritime
security. Finally, we reviewed threat assessments produced by the
National Maritime Intelligence Center and the Transportation Security
Agency to gain a more complete understanding of the challenges.
To determine what progress ODP has made in applying risk management to
its administration of the port security grant program and the
challenges that it faces, we compared fiscal year 2004 and fiscal year
2005 ODP port security grant program procedures. In order to understand
the grant process and the risks related to individual ports, we
reviewed the risk assessment tools used by ODP officials, including the
Coast Guard's Port Security Risk Assessment Tool.[Footnote 12] We
reviewed and summarized a database listing fiscal year 2004 grant
applications and awards to determine the extent to which criteria for
awards coincided with the receipt of grant awards. We reviewed the
Inspector General's (IG) January 2005 report of the port security grant
program and discussed the recommendations contained in the report with
ODP officials. We examined procedural changes made by ODP, in response
to the IG recommendations and other factors, to the 2005 grant
application process. We did not review the fiscal year 2005 award
decisions because we had completed our fieldwork before award decisions
were announced, in September 2005. We met with Coast Guard, Maritime
Administration, ODP, and IAIP officials involved in the port security
grant program process. We also reviewed pertinent legislation, such as
appropriations for the grant program for successive fiscal years.
To determine what progress IAIP has made in applying risk management to
comparing and prioritizing critical infrastructure, and what challenges
it faces in moving ahead, we reviewed key legislative and executive
documents, such as the Interim National Infrastructure Protection Plan,
the Homeland Security Act of 2002, Homeland Security Presidential
Directives 7 and 8, national strategies, and DHS's strategic plan. We
met with IAIP officials responsible for identifying and prioritizing
threats, vulnerabilities, and consequences across different types of
critical infrastructure to determine the obstacles they face in making
such evaluations and the challenges they face in making progress in
this area. We reviewed documents, such as the Risk Analysis and
Management for Critical Asset Protection and the Buffer Zone Protection
Program. We interviewed Office of Management and Budget (OMB) officials
responsible for oversight of issues involving infrastructure protection
to obtain their views on risk management practices across the federal
government.
To determine whether there are key observations that can be drawn from
the three components we reviewed, we analyzed and synthesized the
findings we developed to identify challenges that remain in applying
risk management to homeland security. We compared the three components'
progress in applying risk management principles to their respective
tasks, identified common experiences in applying risk management, and
drew conclusions about issues that may need addressing. We reviewed
numerous documents, including pertinent statutes and presidential
directives, GAO reports on high-risk programs in the federal
government, the National Strategy for the Physical Protection of
Critical Infrastructures and Key Assets, and testimony by the Secretary
of DHS.
We performed our work in accordance with generally accepted government
auditing standards between May 2004 and November 2005.
[End of section]
Chapter 2: The Coast Guard Has Made Progress in Using Risk Management,
but Challenges Remain:
The Coast Guard has established a foundation for applying risk
management to port security; its next challenges are to refine and
strengthen its approach. The Coast Guard has made progress in all five
phases of risk management (see table 2). For the first phase--goals and
objectives--the Coast Guard has established broad strategic goals for
port security, and its next challenge is to translate these goals into
specific, measurable objectives that can be used to assess performance.
The Coast Guard has actions under way to address this challenge--a key
step in determining the extent to which its actions actually reduce
risk. The Coast Guard has made the most progress in the second phase--
conducting risk assessments. Six separate but related assessment
efforts, covering both individual ports and the nation as a whole, have
given the Coast Guard a clearer sense of the vulnerabilities that
exist. However, current assessments are limited in terms of their
methodology, and they do not allow the Coast Guard to compare and
prioritize relative risks across ports--limitations that the Coast
Guard recognizes and is taking steps to address. Enhancing these first
two risk management phases is key to making further progress on the
next two phases--evaluating risk mitigation alternatives and selecting
a particular alternative for action. Without measurable objectives and
more complete methodologies, the risk management process may not be
able to target the most significant security concerns or determine the
most cost-effective approach to take in providing reasonable
protection. Additionally, weaving data produced from the risk
management process into the annual cycle of program review remains a
challenge. Finally, with regard to the fifth phase--implementation and
monitoring--the Coast Guard has demonstrated the ability to evaluate
its efforts and make improvements. However, more extensive and more
formal feedback mechanisms would help ensure that Coast Guard
headquarters managers can inform field staff about actions taken as a
result of the comments received about the risk management process. The
Coast Guard has actions under way to improve feedback loops.
Table 2: Summary of Progress Made and Challenges That Remain in the
Coast Guard's Risk Management Approach:
Risk management phase: Strategic goals, objectives, and constraints;
Examples of progress made: High-level strategic goals have been set for
port security nationwide and for port locations across the country;
Examples of remaining challenges: High-level goals have not been
translated into measurable objectives. The Coast Guard recognizes the
importance of developing measurable objectives and is working to do so.
Risk management phase: Risk assessment;
Examples of progress made: Several types of risk assessments have been
conducted at both the port and the national level. They have given the
Coast Guard the ability to compare and prioritize infrastructure within
a port;
Examples of remaining challenges: Data on threats, vulnerabilities, and
consequences have limitations; Methods have not been developed to allow
the Coast Guard to compare and prioritize risks across ports; Coast
Guard officials agreed they have challenges and are taking action to
address them.
Risk management phase: Alternatives evaluation;
Examples of progress made: Using local risk assessments, the Coast
Guard has developed alternative approaches to prevent attacks and
reduce vulnerabilities;
Examples of remaining challenges: At the national level, the Coast
Guard's methodology for evaluating alternatives is limited. National
risk assessments generally lack cost and benefit data on alternative
ways to mitigate port security risks. The Coast Guard is taking steps
to address this challenge by examining benefits (reductions in risk)
and the estimated costs in doing so.
Risk management phase: Management selection;
Examples of progress made: Coast Guard officials have been able to use
expert knowledge or data from risk assessments to select specific
alternatives, such as establishing security zones around key
infrastructure, improving security around ferries and cruise ships, and
coordinating security improvements (such as fences, gates, and cameras)
around key infrastructure;
Examples of remaining challenges: Methodological limits in risk
assessments and alternatives evaluation hinder the quality of data that
informs management decisions. Informing the annual cycle of program
review with data from risk management processes has been limited. The
Coast Guard recognizes these challenges and has actions under way to
address them.
Risk management phase: Implementation and monitoring;
Examples of progress made: The Coast Guard has implemented improvements
to some of its risk assessment tools to make them stronger and has
invited feedback from staff on how processes are working;
Examples of remaining challenges: Existing feedback mechanisms are
limited to largely informal processes, reducing communication between
headquarters and field staff about actions taken as a result of the
comments or feedback provided. The Coast Guard plans to include formal
feedback loops in one of its risk assessment tools by the end of 2005.
Source: GAO analysis of the Coast Guard's risk management efforts.
[End of table]
Coast Guard Homeland Security Activities Revolve Heavily around the
Maritime Domain:
The Coast Guard is the lead federal agency responsible for protecting
domestic ports. In this role, the Coast Guard must identify, evaluate,
and mitigate many kinds of security challenges. Ports are often
sprawling enterprises that contain key infrastructure besides docks,
piers, ships, barges, and warehouses. Many ports are also home to power
plants, chemical factories, bridges and tunnels, and a variety of other
assets of critical importance to the nation's economy and its defense.
Coast Guard expenditures and activities for port security have risen
dramatically since the terrorist attacks of September 11. The Coast
Guard estimates that its budget for port security has jumped from about
$250 million in fiscal year 2001 to about $1.5 billion in fiscal year
2005. Since the terrorist attacks, the Coast Guard has carried out a
myriad of port security activities, including increasing its
intelligence capabilities, carrying out more harbor patrols and vessel
escorts, establishing security zones, and working more extensively with
federal, state, local, and industry stakeholders on port security
matters as required by the Maritime Transportation Security Act of 2002
(MTSA).
While much of the Coast Guard's homeland security efforts center
specifically on ports, these activities are part of the agency's
broader mission of Ports, Waterways, and Coastal Security (PWCS). This
mission involves protecting the maritime domain and marine
transportation system; preventing terrorist attacks, and responding to
and recovering from attacks that do occur.[Footnote 13] As part of the
PWCS mission, the Coast Guard aims to develop greater "maritime domain
awareness"--that is, improving port stakeholders' understanding about
anything associated with the global maritime environment that could
adversely affect the security, safety, economy, or environment of the
United States. Maritime domain awareness seeks to identify threats as
soon as possible and far enough away from domestic ports to eliminate
or mitigate the threat. Several Coast Guard efforts are under way to
help address both port security and marine domain awareness. In
particular:
* The Coast Guard is planning to expand its sector command centers,
where officials can receive data 24 hours a day on maritime activities.
Currently, the Coast Guard plans to develop sector command centers at
35 ports.[Footnote 14]
* The Coast Guard is involved in a major recapitalization effort--
called the Integrated Deepwater System--to replace and modernize the
agency's aging fleet of aircraft and vessels, including improved and
integrated command, control, communications and computers,
intelligence, and surveillance and reconnaissance capabilities. Since
the terrorist attacks of September 11, the Coast Guard has revised its
plans, and the Deepwater program now includes improving maritime domain
awareness and maritime security capabilities as part of its mission.
This program is scheduled to take 20 years and cost between $19 billion
and $24 billion.
Federal statutes and presidential directives call for the Coast Guard
to use risk management in its homeland security efforts. MTSA, for
example, calls for the Coast Guard and other port security stakeholders
to carry out a variety of risk-based tasks, including assessing risks
and developing security plans for ports, facilities, and
vessels.[Footnote 15] The Coast Guard's progress across the various
risk management phases is thus a key part of its homeland security
mission. The remainder of this chapter discusses the Coast Guard's
progress and challenges on each of the phases in GAO's framework.
Goal-Setting: High-Level Goals Are in Place, with Efforts Under Way to
Set Measurable Objectives:
The Coast Guard has been able to make some progress in the first phase
of the risk management framework, in that it has established high-level
strategic goals for its PWCS mission. The Coast Guard set its national
strategic goals for port security in December 2002.[Footnote 16] In
order of priority, the goals were as follows:
* preventing terrorist attacks within, and terrorist exploitation of,
the maritime domain;
* reducing America's vulnerability to terrorism in the maritime domain;
* protecting population centers, critical infrastructure, maritime
borders, ports, coastal approaches, and the boundaries and seams
between them;
* protecting the U.S. marine transportation system while preserving the
freedom of the maritime domain for legitimate pursuits; and:
* minimizing the damage and expediting the recovery from attacks that
may occur within the maritime domain as either the lead federal agency
or a supporting agency.
Working with federal, state, local, and industry stakeholders involved
in port security, the Coast Guard has also developed security plans for
port areas across the country. These plans reflect the characteristics
and needs of the individual ports, and in general, they aim to deter a
terrorist incident and improve communication among port stakeholders.
These plans are specific to each port location and are aligned with
higher-level port security goals.
While the Coast Guard has set broad goals for its port security
mission, it still faces challenges in developing objectives into more
specific and measurable results that measure progress toward these
goals. So far, the Coast Guard has expressed its port security
objectives in terms of activity levels, such as conducting patrols,
escorting vessels, and inspecting cargo. While such activities may have
contributed to improved security in and around the nation's ports,
using them as measures may not systematically target areas of higher
risk and may not result in the most effective use of resources, because
these measures are not pointed toward outcomes. They describe what
levels of activity, or outputs, the Coast Guard is providing, but they
do not provide an indication of what these activities are
accomplishing. Doing so requires measures that are clearly tied to
results. Such measures would indicate the extent of progress made and
help identify the security gaps that still remain.[Footnote 17]
Developing measurable objectives is a complex and difficult task, but
Coast Guard officials recognize that doing so is a necessary next step
and plan to have such objectives developed in fiscal year 2006. In
September 2005, the Coast Guard stated that it plans to develop a
measure of its performance that will be based on an assessment of
threat, vulnerability, and consequence. The Coast Guard plans to
develop objectives for reducing overall risk. As part of this process,
the Coast Guard plans to assess the impact of its activities in
reducing threats, vulnerabilities, and consequences.
Risk Assessments: Progress Has Been Substantial, but Challenges Remain
for Addressing Limitations in Assessment Data and Methodology:
The Coast Guard's risk management activities have centered primarily on
this phase of the risk management process, with assessments being
conducted at both port and national levels. Further progress on the
quality of these assessments is challenged by several types of
limitations in the data and the methodology being used.
Several Sets of Assessments Have Been Completed at the Port and
National Levels:
Following the terrorist attacks of September 11, and consistent with
MTSA's directives, the Coast Guard has greatly expanded the scope of
its risk assessment activities. Before the attacks, these assessments
centered on matters such as ecological damage and general marine
safety. In 1999, for example, the Coast Guard adopted a risk management
approach for its marine safety and environmental mission area.
Assessments of key infrastructure in and around ports came largely
after the attacks. Three such assessments have been done at the port
level (see table 3).[Footnote 18] These assessments included data on
threats, vulnerabilities, and consequences--the three types of
information used in evaluating risk:
* Threats. The assessments gathered information on plausible threat
scenarios, such as using weapons of mass destruction, ramming a vessel
or facility, or detonating devices underwater. In general, local Coast
Guard personnel or other federal and nonfederal stakeholders decided
what threat scenarios to include in the assessment based on their
knowledge of the port.
* Vulnerabilities. The assessments evaluated threat scenarios against
potential targets, such as passenger vessels, bridges, or terminals, to
assess the degree to which these potential targets were vulnerable to
attack.
* Consequences. Finally, the three assessments addressed the potential
outcomes of successfully carrying out a threat against a potential
target. These consequences included such matters as loss of life,
damage to the environment, damage to property, and economic disruption.
Table 3: Port-Level Assessments Conducted by the Coast Guard:
Port-level risk assessment: Port Security Risk Assessment Tool (PS-
RAT);
Description: Implemented in November 2001, PS-RAT is a computer- based
tool for determining the risk associated with specific attack scenarios
against key infrastructure or vessels in local ports. It was used to
compare and prioritize risks among critical infrastructures at a port.
In November 2002, the Coast Guard improved the tool to address
inconsistencies in data among ports, and it included additional factors
for mitigation, such as recoverability from an attack.
Port-level risk assessment: Port Security Assessment Program;
Description: Begun in August 2002 and completed in March 2005, this
program produced a vulnerability assessment of 55 of the nation's most
strategic commercial and military ports. To identify which ports were
of the most strategic importance, the Coast Guard considered such
factors as cargo volume, ferry and cruise ship traffic, population
density around the port, and presence of critical infrastructure.
Port-level risk assessment: Area Maritime Security Plans;
Description: Required under the Maritime Transportation Security Act of
2002, these plans describe a communication and coordination framework
for port stakeholders and law enforcement officials to follow in
addressing security vulnerabilities and responding to incidents. The
Coast Guard has completed plans for all 43 designated port areas.
Source: GAO analysis of the Coast Guard's port-level assessments.
[End of table]
These assessments have resulted in considerable progress in
understanding and prioritizing risks within a port. In particular, the
Port Security Risk Assessment Tool (PS-RAT), a computer program that
includes possible threat scenarios, allows the Coast Guard to assess
risks and develop relative rankings for infrastructure at each port
location. At one port, PS-RAT was used to compare and inform priorities
on over 1,000 critical items of infrastructure.
Three other efforts have focused on assessments at the national level
(see table 4).[Footnote 19] These efforts have relied in part on data
and information generated from the local assessments described above,
but they have also incorporated additional information. For example,
the National Maritime Security Profile integrated available information
from the intelligence community--a step that had not been carried out
in any of the local risk assessments. Another assessment, the National
Maritime Strategic Risk Assessment, sought to develop risk profiles for
each of the Coast Guard's strategic goals; it examined specific mission
areas, including port security, search and rescue, and law enforcement,
and it sought input from field commanders on ways to mitigate key
risks. According to Coast Guard staff, this was the first attempt at a
large-scale strategic risk assessment that sought to assess the status
of the maritime domain.
Table 4: National-Level Assessments Conducted by the Coast Guard:
National-level assessments: National Risk Assessment Tool;
Description: Implemented in February 2002, this tool provided a
foundation for strategically evaluating the risks in the maritime
domain. It incorporated 50 types of infrastructure and 12 possible
attack scenarios and included information on threat, vulnerability, and
consequences. Information from the local tool (PS-RAT) was used in
developing the results.
National-level assessments: National Maritime Security Profile;
Description: Developed in 2003-2004, this profile assessed critical
infrastructure, possible threats, vulnerabilities, and consequences. It
used PS-RAT and the national risk assessment tool, among other methods,
to develop the profile, and it gathered input from the intelligence
community to improve data on threats for its PWCS mission.
National-level assessments: National Maritime Strategic Risk
Assessment;
Description: Launched in August 2004, this is an effort to communicate
risks in each of the Coast Guard's missions. As part of this risk
assessment, the Coast Guard used information from the National Maritime
Security Profile. Among other things, this effort identified possible
intervention strategies for addressing risk areas.
Source: GAO analysis of the Coast Guard's national-level assessments.
[End of table]
While the port-level assessments focus on specific assets and
infrastructure at each location, national assessments have focused more
generally on understanding the risk posed to various classes of assets
(such as container ships, barges, power plants, or bridges and tunnels)
by various types of attacks (such as using explosives, taking control
of an asset, or using weapons of mass destruction). These national
assessments address, for example, whether the maritime domain is at
greater risk from a takeover of a power plant or from a weapon of mass
destruction planted on a container ship. The national assessments do
not compare risks faced by specific assets at one port with risks faced
by specific assets at another port.
Key Challenges Involve Improving Data and Methodology:
The progress in conducting risk assessments is tempered by a number of
challenges that remain in making these assessments more robust tools
for informing the risk management process. These challenges are
numerous and complicated, and this chapter illustrates some of the
important issues the Coast Guard faces in making its risk assessments
more useful. The challenges discussed here involve (1) improving the
threat, vulnerability, and consequence data on which the assessments
are based and (2) addressing methodological limitations that affect the
reliability, completeness, and applicability of the risk assessments
themselves.
Limitations of Data on Threats, Vulnerabilities, and Consequences:
Our review of the Coast Guard's processes and our discussions with
Coast Guard personnel surfaced a number of data-related problems that
limit the reliability and completeness of the risk assessments (see
table 5). For example, the tools require information not only about the
types of threats a facility may face, but also about the probability of
such threats occurring. The threat data received by the Coast Guard
from the intelligence community do not allow the Coast Guard to model
these probabilities, thus limiting the value of the output. The
problems we identified have implications for the ability to effectively
compare risks faced by the various types of port-related
infrastructure.
Table 5: Examples of Data-Related Challenges in Coast Guard Risk
Assessments:
Data type: Threats;
Summary of challenge: The information received from intelligence
sources is generally useful, but it lacks the detail that allows the
Coast Guard to model the relative probability of various threat
scenarios. For example, the Coast Guard cannot assign a relative
probability to various threat scenarios, affecting the ability to
characterize threats without either understating or overstating them.
In practice, the calculation of threat was essentially held constant
for Coast Guard-wide analysis of PS-RAT data.
Data type: Vulnerabilities;
Summary of challenge: The Coast Guard's tools for assessing risk
currently do not take into account (1) reductions in vulnerability that
stem from the Coast Guard's actions (such as security patrols or other
monitoring) or (2) the effect that multiple strategies (such as fencing
and guards) may have on reducing vulnerabilities. As a result, the
tools may overstate the degree of vulnerability that exists.
Data type: Consequences;
Summary of challenge: The Coast Guard's tools measure the direct
effects of a terrorist attack, such as loss of lives and property
damage, but they do not consider the secondary effects, such as loss of
jobs that may occur. This limitation likely understates the overall
consequences resulting from an attack.
Source: GAO analysis of the Coast Guard's risk assessment efforts.
[End of table]
These challenges are complex and technical, and the following examples
illustrate the kinds of limitations they pose:
* Limitations in threat-related data. The intelligence information the
Coast Guard normally receives about threats is not specific enough for
all of the threat scenarios in the National Maritime Security Profile
or the PS-RAT.[Footnote 20] For example, the type of threat data that
Coast Guard personnel could use to model threats includes data on the
presence of terrorist cells nationally and internationally, the
capability and intent of terrorist groups as they relate to specific
types of attack in and around ports, and the specific target groups.
Increasing the quality of this information would improve the quality of
the output. For example, when the Coast Guard received and integrated
higher-quality information about some threats from its Intelligence
Coordination Center, it modified data for 80 of about 300 threat
scenarios in its National Maritime Security Profile.
* Limitations in vulnerability-related data. The Coast Guard's risk
assessment tools were designed to evaluate existing security in and
around a building or vessel, but according to Coast Guard officials,
the baseline established by the tools excludes areawide actions the
Coast Guard has taken to reduce vulnerabilities in and around ports,
such as conducting more patrols, creating operational centers, or
establishing security zones in and around key ports. The baseline also
excludes actions taken by local port stakeholders, such as increasing
the number of harbor patrols conducted by local law enforcement. The
Coast Guard designed its tools this way because the primary purpose of
the tools was to provide a port-level risk ranking of assets. Using
this information, the Coast Guard could then use tools, such as the PS-
RAT, to measure the benefit and value of any interventions for a
specific vessel, facility, or asset type that it initiates against the
original baseline. Coast Guard officials recognize that another tool
would be useful in determining the overall vulnerabilities that exist
after all Coast Guard actions have been taken.
* Limitations in consequences-related data. The Coast Guard's
assessment of consequences is limited to direct effects of a terrorist
attack, such as loss of lives and property damage; it does not consider
important secondary effects, such as follow-on effects to the economy,
including loss of jobs or increased energy costs that may occur months
after an attack. This limitation likely understates the overall
consequences that result from an attack and may distort relative risks
associated with various threat scenarios. Coast Guard officials note
that estimating secondary effects is important but difficult since
there is a lack of accepted methods for doing so. A second limitation
is that there is no commonly agreed upon value for a consequence such
as death or injury, or the symbolic effect of destroying a national
symbol such as the Statue of Liberty. For example, the Coast Guard's
model places a dollar value of $1 million (in 2005 dollars) on the loss
of a life. Other components, such as the Environmental Protection
Agency, use a monetary value of $6.1 million (in 1999 dollars). The
value chosen can affect the priorities that emerge from using the risk
assessment tools.
We discussed these data-related limitations with Coast Guard officials,
who generally agreed with our observations. The Coast Guard has since
planned or started several actions designed to address some of these
limitations. Coast Guard officials said they plan to improve PS-RAT
based in part on the limitations discussed above.[Footnote 21] For
example, they made changes in procedures for obtaining information from
the Intelligence Coordination Center and have focused on improving the
quality of information received from the intelligence
community.[Footnote 22] In addition, the Coast Guard plans to improve
vulnerability and consequence data. For example, the Coast Guard plans
to assign weights to different levels of consequences. Coast Guard
officials said they hope to accomplish these changes by the end of
2005.
Methodological Limitations:
Two key methodological limitations affect the use of risk assessment
data as a tool for informing decision makers on relative risks across
port locations. The first limitation relates directly to the ability to
compare and prioritize one port with another, while the second
limitation relates to the process used to rank and prioritize
individual threats.
* Risks cannot be compared between ports. PS-RAT results were not
designed to compare the risks at one port with risks at
another.[Footnote 23] While PS-RAT allows the Coast Guard to compare
and prioritize key infrastructure within a port, it does not produce a
risk ranking that permits the Coast Guard to compare and prioritize
infrastructure across ports. Interport comparisons, while theoretically
possible, are difficult to actualize in practice. In general terms, the
difficulties stem largely from the fact that, for each port, multiple
scenarios must be considered; the scenarios that are deemed most
relevant to each port, however, will differ from port to port. For
example, ports that support passenger ferries and container cargo may
be exposed to different risks than ports that primarily support bulk
cargo. Comparisons are further limited because Coast Guard personnel at
different ports use different methods to input data into PS-RAT. For
example, Coast Guard officials at some field offices have summarized
information on a type of asset, such as all bridges at a port location,
while officials at other locations have developed data on each bridge
in the area of responsibility. We discussed this limitation with the
Coast Guard officials, and during the course of our review, the Coast
Guard initiated work on a Maritime Security Risk Assessment Model
(MSRAM)--a model that should permit the Coast Guard to compare the
relative risks of high-value assets at one port with assets at a
different port. The model is to include an analysis of various threat
scenarios, vulnerabilities, and consequences. Overall, the MSRAM is to
score and characterize risk associated with individual assets,
including the estimated likelihood of an attack, the vulnerability of
the asset should an attack occur, and the impacts of a successful
attack. The Coast Guard has also requested data from the Intelligence
Coordination Center on intent and capability that could improve the
estimate of relative likelihood of various threat scenarios. Coast
Guard officials said they plan to implement the MSRAM by the end of
2005.
* Risks viewed as less probable could surprise the Coast Guard. The
Coast Guard evaluates hundreds of threat scenarios that are deemed
plausible--focusing attention, ultimately, on those threats that,
together with identified vulnerabilities and consequences, pose the
greatest overall risk. For example, in the National Maritime Security
Profile, the Coast Guard classifies the risk of various threat
scenarios as very high, high, medium, low, and very low, and it centers
attention on scenarios that it estimates are very high or high risk.
The Coast Guard's approach, although a useful starting point, may not
be as reliable as the process would appear to suggest given the data
limitations we describe above. How agencies like the Coast Guard deal
with scenarios that receive low rankings is important in addressing the
possibility of strategic surprise--an attack scenario that may not be
identified or given high priority in the initial risk assessment
process. Without sensitivity analysis or formal feedback loops to
reassess all scenarios and therefore provide greater assurance that the
rankings are as reliable as possible, the risk of being unprepared for
strategic surprise may increase.[Footnote 24] The Coast Guard addresses
this issue by making appropriate adjustments in priorities when
tactical and strategic information call for such changes. We discussed
this issue further with agency officials, and partly on the basis of
these discussions, the Coast Guard is taking additional steps to
address this issue. It is doing so by (1) increasing coordination among
risk stakeholders at all levels to improve checks throughout the risk
management cycle, (2) making refinements to threat data by requesting
the Intelligence Coordination Center to provide estimates of capability
and intent of terrorist groups, (3) including time horizons for various
scenarios, and (4) leveraging independent assessments conducted by
different subject matter experts as a way of checking its risk
assessment work.
Evaluation of Alternatives: Ability to Evaluate Alternatives Is
Greatest at the Local Level:
Just as the Coast Guard's ability to assess risk is stronger at the
individual port level than across ports, its ability to evaluate
various alternatives for addressing these risks is greater at the port
level as well. PS-RAT was specifically developed to help local Captains
of the Port concentrate and prioritize their resources and evaluate
alternative methods of risk reduction. Data from PS-RAT help identify
vulnerabilities within a port and can be used in improving security
measures related to the area maritime security plans. PS-RAT is not
designed to work, however, above the port level. At the national level,
the Coast Guard has conducted qualitative evaluations of the potential
benefits of various alternatives for reducing risk levels, such as
improved information sharing through the use of interagency operational
centers, waterborne patrols, and escorting ships. In addition, it is
assessing the potential reduction in risk of different strategies for
improving awareness of the maritime domain.
The effectiveness of such evaluations, both within and between ports,
is influenced to a large degree by the performance standards and goals
that are set, as well as the reliability and completeness of the risk
assessments that are conducted. To the extent that goals are missing
and risk assessments produce data that do not completely and reliably
depict threats and vulnerabilities, the prospective evaluation of
benefits and costs of future mitigation strategies may not target the
areas with the greatest gaps or lead to the most cost-effective
decisions.
In examining various alternatives, a key consideration will be
measuring the overlapping benefits of different strategies as a means
of developing data on what set of alternatives may provide the most
improved security in return for the resources expended. These
overlapping benefits and costs may involve Coast Guard actions, such as
expanding the number of operational centers at port locations or
procuring new ships and aircraft, or actions by others, such as more
inspections of container cargo shipments or developing better
intelligence capability. The Coast Guard's evaluation of alternatives
generally involves examining its own possible actions, such as
developing proposals to expand the number of operational centers,
without placing the cost of such actions in context with other
alternatives that have already been deployed or that could be used. In
discussions with us, Coast Guard officials said addressing this issue
was part of the Coast Guard's efforts to further refine its risk
management approach. For example, the Coast Guard is working toward
examining alternatives by assessing the degree to which they reduce
risk in exchange for the cost involved.
Management Selection: Local Strategies Have Been Selected but Would Be
Better Informed by Improvements in Phases for Goal Setting and Risk
Assessment:
In regard to management selection--the fourth phase of the framework--
the Coast Guard has used its port-level assessments to select specific
mitigation strategies to manage vulnerabilities in and around
facilities. For example, local Captains of the Port have used the
assessment information in coordination with input from local
stakeholders to (1) establish security zones around key port
infrastructures; (2) improve security in and around passenger vessels;
and (3) coordinate security improvements, such as fences, cameras, and
barriers around port infrastructures. At the national level, the Coast
Guard is designing and planning to implement an array of radar systems,
sensors, and information systems to identify and track possible threats
in the maritime domain. One element of this effort is the establishment
of maritime intelligence fusion centers that cover the Pacific and
Atlantic coasts. These fusion centers are providing intelligence to the
Coast Guard intelligence network in the field, and the centers share
information with interagency partners, such as the Navy and Customs and
Border Protection.
In general, progress in this area is affected heavily by the same
factors affecting progress in evaluating alternatives: progress in
setting measurable performance objectives and improving the reliability
and completeness of risk assessments. The various phases of the risk
management model build and rely on one another, and in this case the
quality and reliability of the results are heavily affected by the
quality and reliability of efforts in the first two phases.
Another major challenge will be to strategically integrate risk-based
data into other management systems, such as the annual cycle of program
and budget review for assessing how to deploy resources among ports.
Coast Guard officials acknowledged that using risk-based data to inform
the annual budget cycle is an important step and are taking further
steps to address them. For example, the Coast Guard's MSRAM tool will
compare risks at one port with those at another port, and the data
produced could inform the Coast Guard's annual budget review of
programs and resource allocation. In addition, based in part on our
discussions with Coast Guard officials, the Coast Guard's resource
planning guide for fiscal years 2008-2012 calls attention to the
importance of joining these processes. The guide states that by
"employing principles of risk management and using our understanding of
strategic risks to Coast Guard mission performance, we will be able to
make better decisions regarding investment, re-investment and base
management priorities."
Implementation and Monitoring: A Foundation for Continuous Improvement
Is in Place; Challenges Remain in Refining It and Developing Formal
Policies:
The Coast Guard has made progress in the fifth phase of the framework-
-implementation and monitoring--by improving existing tools and systems
in a variety of ways. For example:
* The Coast Guard has improved PS-RAT; version 2, developed in November
2002, by providing such improvements as greater detail on consequence
data. Additionally, the MSRAM will include improvements in the quality
of threat information in its analysis.
* The Coast Guard used the Port Security Assessment Program to further
refine area maritime security plans by offering intelligence and other
information to the local Captains of the Port on security issues the
plan may not have covered.
* In November 2004, the Coast Guard started conducting the National
Maritime Strategic Risk Assessment to obtain comments and feedback from
Coast Guard area and headquarters staff on its mission areas, including
its port security mission. Among other things, the staff provided input
on ways that the Coast Guard could improve the manner in which it
carries out its port security mission and reduce any gaps in coverage.
For example, staff identified opportunities for leveraging resources,
such as strengthening the partnership with nonfederal stakeholders
involved in maritime security, as well as potential gaps in the port
security mission, such as training, equipment, and technology. This
information was summarized by a Coast Guard consultant and was provided
to managers in Coast Guard headquarters.
In some cases, this progress is limited to a degree by a lack of a
formal policy for taking action on feedback that is received about ways
to improve the risk assessment and management approach. For example,
when the Coast Guard receives feedback from field staff on ways to
improve its strategic approach, there are no formal policies for
addressing the issues raised. Without such policies, there is little
assurance that the feedback received will inform decisions to improve
risk management practices and ultimately port security. For example, a
Coast Guard official at one port noted that while there are informal
communication channels to offer feedback on the PS-RAT, there are no
formal procedures for doing so, and that such procedures would be
useful in addressing concerns of local users when using the tool.
Recognizing that there was no formal feedback process for the PS-RAT,
the Coast Guard developed an ad hoc methodology to gather feedback from
the users of the tool. In March 2005, Coast Guard headquarters hosted a
workshop to obtain input from Coast Guard field offices on ways to
improve the PS-RAT. The workshop resulted in a list of possible
modifications to the PS-RAT and a plan to develop the MSRAM. Coast
Guard officials acknowledge that a formal feedback process would be
beneficial, and they plan to include one as part of the Coast Guard's
MSRAM.
Identifying and addressing organizational barriers to the Coast Guard's
ability to improve or carry out its risk management approaches is a
final consideration for the monitoring and implementation phase. One
key organizational challenge is building and sustaining expertise and
skills for effectively designing and using the risk management tools,
techniques, and models necessary for managing the Coast Guard's efforts
in carrying out its port security and maritime domain awareness
responsibilities. The Coast Guard provides training on risk-based
decision making at its training center. Recently, the Coast Guard
revised its officer evaluation form by including "risk assessment" as a
key leadership competency for its officers. Partly on the basis of the
briefings we provided to agency officials, the Coast Guard plans to
carry out workshops to examine ways to integrate risk management into
the PWCS strategic plan and activities. Applying risk management tools
and techniques is a complex undertaking, and it requires a managed
effort to maintain and build organizational expertise and skills to do
the job well.
Conclusions:
The foundation the Coast Guard has established for risk management is
generally sound. It represents a strong commitment on the Coast Guard's
part to using risk management effectively in making decisions. Further,
the Coast Guard, often acting on discussions held during the course of
this review, has actions under way to address many of the concerns we
identified. The most difficult work ahead revolves around
systematically integrating risk-based information into management
systems, including the annual cycle of program review, that can help
inform decisions about how to deploy resources and security measures
among ports and to examine the value of new programs in addressing
security gaps that remain. In this regard, the Coast Guard's efforts
are still in the early phases of development. As the Coast Guard moves
forward, it is especially important that the agency develop ways to
establish a stronger linkage between the various local and national
risk assessment efforts under way. For example, area maritime security
plans are not comparable, and security risks at one port location
cannot be compared with the risks identified at another location. As a
result, the collective value of these individual efforts is diminished.
Developing ways to establish a stronger linkage would likely increase
the value of the work.
Recommendations for Executive Action:
We are not making recommendations in those areas where the Coast Guard
has actions well under way. The recommendations below are designed
primarily to spotlight those areas in which additional steps are most
needed to strengthen agency efforts to implement a risk management
approach to the Coast Guard's port security activities. Accordingly, we
recommend that the Secretary of Homeland Security direct the Commandant
of the Coast Guard to take action in the following two areas:
* Risk assessment: Develop plans to establish a stronger linkage
between local and national risk assessment efforts. This effort could
involve strengthening the ties between local assessment efforts, such
as area maritime security plans, and national risk assessment
activities.
* Alternatives evaluation and management selection: Ensure that
procedures for these two processes consider the most efficient use of
resources. For example, one approach involves refining the degree to
which risk management information is integrated into the annual cycle
of program and budget review.
Agency Comments and Our Evaluation:
In commenting on a draft of chapter 2, DHS, including the Coast Guard,
generally agreed with our findings and recommendations. DHS said that
the report notes that the Coast Guard has made progress in all five
risk management phases and is taking action to address the challenges
that remain. In addition to commenting on our recommendations, the
Coast Guard provided several technical comments under separate cover,
and we revised the report when appropriate. Written comments from DHS
are in appendix II.
[End of section]
Chapter 3: Stronger Risk Management Approach Could Improve the
Accountability of the Port Security Grant Program:
The Office for Domestic Preparedness within the Department of Homeland
Security has made progress in applying risk management to the port
security grant program but faces challenges in strengthening its
approach, as demonstrated in part by its experience in awarding past
grants. Examples of progress--and challenges--can be found across all
five risk management phases (see table 6). ODP has established overall
goals for the grant program but faces challenges in setting specific
and measurable program objectives, in part because this effort hinges
on similar action by other federal agencies. ODP's progress, with input
from the Coast Guard and IAIP, has been greatest in conducting the
actual risk assessments. It assessed 129 ports and, using risk-based
prioritization, narrowed to 66 the number of ports eligible to apply
for fiscal year 2005 grants. Its methods for assessing risks and
evaluating mitigation alternatives, however, still are limited in their
ability to prioritize relative risks across ports or to calculate the
costs and benefits of various alternatives. Finally, while ODP has also
made progress in developing a risk-based grant selection process and
mechanisms to monitor what the grants accomplish, it has not always
completely relied on a risk-based process. For example, grant awards
for fiscal year 2004 illustrate the trade-offs that occur when
attempting to award grants to applicants that are at greater risk and,
at the same time, provide funds to applicants that have the larger
financial need. At the end of what was, in part, a risk-informed
assessment process, ODP change the criteria for awarding grants when it
decided to give lower priority to grant applications involving projects
at large companies, on the assumption that these companies were better
able than other entities to pay for their own security improvements.
This changed 40 percent of the grants originally recommended for an
award, as projects with higher risk but greater potential for self-
funding gave way to lower-risk projects with more limited funding
prospects. ODP changed the process for fiscal year 2005 by clarifying
the criteria it would use in awarding grants and by requiring
applications from private entities to match at least 50 percent of the
total amount requested.
Table 6: Summary of Progress and Challenges in the Port Security Grant
Program:
Risk management phase: Strategic goals, objectives, and constraints;
Examples of progress made: High-level strategic goals have been set for
the port security grant program;
Examples of remaining challenges: The program is missing measurable
program objectives to show the progress that has been made.
Risk management phase: Risk assessment;
Examples of progress made: In its May 2005 guidelines, ODP has
prioritized spending decisions by identifying 66 key seaports that are
eligible for awards, and it is placing greater reliance on the use of
risk assessments at port locations.[A];
Examples of remaining challenges: Threat, vulnerability, and
consequence data have limitations. The degree to which risk assessments
compare and prioritize risk across ports remains a challenge.
Risk management phase: Alternatives evaluation;
Examples of progress made: Unlike efforts in previous years, the fiscal
year 2005 effort examined alternative solutions proposed by nonfederal
stakeholders and ODP, and the Coast Guard assessed the cost and
benefits of the projects;
Examples of remaining challenges: The degree and extent to which
proposals can be accurately evaluated and benefits calculated for risk
reduction remains uncertain. ODP is working with the Coast Guard to
deal with this challenge.
Risk management phase: Management selection;
Examples of progress made: For fiscal year 2005, criteria for
management selections include the prioritization of projects based on
the criticality of ports and proposals that reduce vulnerabilities to
certain threat scenarios. These risk-based criteria were not used in
prior fiscal years;
Examples of remaining challenges: For fiscal year 2004, internal
controls for documenting management decisions were not followed. For
fiscal year 2005, ODP documented grant award decisions in a database.
Risk management phase: Implementation and monitoring;
Examples of progress made: In fiscal year 2005, ODP has made a number
of improvements to better monitor implementation of its risk management
process;
Examples of remaining challenges: For fiscal year 2004, additional
improvements were needed to obtain formal feedback from grant program
stakeholders. For fiscal year 2005, ODP has developed formal feedback
loops from grant program stakeholders.
Source: GAO analysis of ODP's port security grant program.
[A] The Coast Guard provided various data on ports, such as amount of
total cargo, domestic cargo, international cargo, number of passengers
using ferries, and number of passengers using cruise ships. ODP
prioritized ports by evaluating these data to determine a list of the
66 highest-risk port areas.
[End of table]
ODP Manages Port Security Grants:
The port security grant program was established in fiscal year 2002
under the purview of the Transportation Security Administration (TSA),
which became part of DHS in March 2003.[Footnote 25] Because of
organizational changes within DHS, the grant program has been
administered by ODP within the Office of State and Local Government
Coordination and Preparedness since May 2004. ODP was transferred from
the Department of Justice to DHS upon passage of the Homeland Security
Act of 2002.
The grant program provides assistance to nonfederal stakeholders for
making security improvements at the nation's ports. During fiscal years
2002-2004, grants from the program totaled about $560 million and
covered such concerns as more fencing, cameras, and communications
equipment. For fiscal year 2005, the appropriations act for DHS
provided $150 million for port security grants.[Footnote 26] The 2005
program focused on three primary concerns: (1) protection against
improvised explosive devices carried by small craft, underwater craft,
or vehicles; (2) enhanced explosives detection capabilities for the
owners and operators of vehicle ferries and associated facilities (as
shown in fig. 3); and (3) facility security enhancements in the
nation's highest-risk ports. The program is designed to operate in
coordination with federal partner agencies and industry.[Footnote 27]
Grantees are selected through a competitive process.
Figure 3: Facilities at One of the Nation's Major Ports:
[See PDF for image]
[End of figure]
For fiscal year 2006, the Office of Management and Budget had proposed
consolidating the port security grant program with other homeland
security grant programs. Known as the Targeted Infrastructure
Protection Program, the program would have consolidated funding for
ports, transit, and other critical infrastructure into one program.
However, DHS's appropriations act for fiscal year 2006 maintained
separate funding for the port security grant program. In particular,
the act provided a $175 million appropriation for the port security
grant program that, "shall be awarded based on risk and
threat."[Footnote 28]
In January 2005, the DHS Office of the Inspector General issued a
report on the Port Security Grant Program that covered the program's
second and third rounds of grants--through fiscal year 2003.[Footnote
29] This report made a number of recommendations, and in response, ODP
initiated a number of changes to the program, according to ODP grant
program officials. Our discussion of the grant program reflects the
changes ODP had made at the time of our report.
Goal Setting: Overall Goals Have Been Set; Developing Performance
Measures and Leveraging Federal Dollars Remain Challenges:
Progress has been made on setting goals--the first phase of GAO's risk
management framework--for the port security grant program. Congress and
the Administration have laid out broad policy goals for maritime
security and for the program. Congress's stated purpose in establishing
the program was to finance the costs of enhancing facility and
operational security at critical national seaports.[Footnote 30] The
Administration has set the program in the context of the December 2004
Presidential Directive on Maritime Security Policy, which cites several
broad policy goals for maritime security, including preventing
terrorist attacks in the maritime domain and reducing vulnerability to
such attacks; protecting U.S. population centers, critical
infrastructure, borders, harbors, ports, and coastal approaches; and
maximizing awareness of security issues in the maritime domain in order
to respond to identified threats.[Footnote 31]
DHS's application guidelines for fiscal year 2005 grants reflect the
context of these broad policy goals. They state that the program
reflects congressional and executive intent "to create a sustainable
effort for the protection of critical infrastructure from terrorism,
especially explosives and nonconventional threats that would cause
major disruption to commerce and significant loss of life," and they
link the program to specific national priorities specified in the
nation's security planning framework.[Footnote 32] Other ways in which
the 2005 grant program reflects a goal-oriented approach are its
efforts to apply the grants to locations that are viewed as the
nation's highest-risk ports (discussed in more detail below) and to
focus the grants on such specific concerns as protection against
improvised explosive devices.
While broad policy and program goals have been set, challenges to
further progress on this risk management phase take two main forms. The
first is translating the program's broader goals into measurable
objectives. One difficulty in doing so is that other federal partner
agencies have yet to spell out measurable objectives at the national
level as related to protecting key infrastructure. For example, as
discussed in chapter 2, the Coast Guard's Maritime Strategy for
Homeland Security describes strategic approaches and priorities, but it
does not include measurable objectives as part of its
approach.[Footnote 33] In addition, DHS has yet to set performance
measures for programs related to the implementation of programs for
protecting critical infrastructures--another program area that the
grant program supports.[Footnote 34] We discuss this further in chapter
4.
A second challenge involves determining an appropriate way to consider
two different federal concerns about grant programs: ensuring that
grants address key needs while at the same time ensuring that they make
the most efficient use of federal dollars. This challenge exists for
several reasons:
* Federal and nonfederal partnership for addressing key needs. First,
the federal government is not the only potential source of revenue for
addressing security needs. Ports are often a complex mixture of public
sector and private sector infrastructure. For example, public entities
such as port authorities or local and state governments may own or
operate seaport facilities and roadways, while private companies and
interests may own and operate factories, warehouses, oil refineries,
and railways.[Footnote 35] Ports can produce benefits that are public
in nature (such as general economic well-being) and distinctly private
in nature (such as generating profits for a particular company). The
public benefits they produce can also be distinctly local in nature,
such as sustaining a high level of economic activity in a particular
state or metropolitan area. Thus, state and local governments, like
private companies, also have a vested interest in ensuring that their
ports can act as efficient conduits of trade and economic activity.
Given that homeland security threats can imperil this activity, it can
be argued that all of these stakeholders should invest in the continued
stability of the port.
* Leveraging federal dollars. Second, in many federal grant programs,
the desired outcome is that federal grants supplement what other
stakeholders are willing to spend. If a grant program is not designed
to encourage supplementation, the danger is that other stakeholders
will rely solely on the federal funds and choose to use their own funds
for other purposes. This practice is known as substitution, and the net
result is that limited federal funds cannot be stretched, or leveraged,
to the degree they otherwise could be. In prior work addressing this
issue in certain other grant programs, we found that on average, every
additional federal grant dollar resulted in about 60 cents of
substitution.[Footnote 36]
Although the design of a grant program is not part of the risk
management framework, it is an important issue because it is one key to
accomplishing the dual aims of targeting funds to projects that address
the highest risk while discouraging the replacement of state, local,
and private funds with federal money. ODP's approach for 2005 has been
to formalize a matching requirement for private sector stakeholders but
not for public sector stakeholders. For fiscal year 2005 grants, ODP
required that applications from industry match at least 50 percent of
the total amount requested.
This situation illustrates the complexity of addressing the most
significant security needs while considering the degree to which
nonfederal stakeholders should share in the cost of security
improvements. For fiscal year 2005, the program encourages but does not
require public sector or nonprofit entities to match federal funds,
according to ODP officials. Depending on the value placed on reducing
the substitution of federal funds for local funds, the design of the
port security grant program offers a way to improve the fiscal impact
of federal dollars. There is disagreement among policymakers about
where the emphasis should be on this aspect of grant programs. Some
might see the substitution of federal funds for local funds as
reasonable given differences in fiscal capacity, while others may view
homeland security as a shared fiscal responsibility. If policymakers
place greater value on reducing the substitution of federal funds for
local funds, strengthening matching requirements for such entities
offers one option. The 2006 appropriation for the port security grant
program includes a federal matching requirement.[Footnote 37] ODP has
not yet issued its 2006 port security grant guidance clarifying how it
will implement this requirement. One way to implement the requirement
involves using a sliding scale for matching federal funds depending on
the fiscal capacity of the grant applicant. Such a scale could range,
for example, from an 80 percent matching requirement for Fortune 500
companies to a 25 percent matching requirement for those entities that
have less in monetary resources.[Footnote 38]
Risk Assessments: The Funding Distribution Model Is Becoming Better
Able to Consider Risk, but Methodological Challenges Remain:
ODP has made progress in carrying out risk assessments--the second part
of the risk management framework--but the progress made is balanced by
the additional methodological challenges that remain. ODP's progress is
reflected in changes made to the program for fiscal year 2005, in both
port-level and national-level assessments. Among other things, ODP has
placed greater emphasis on using threat, vulnerability, and consequence
data in prioritizing applications and port locations. Nonetheless,
various methodological challenges remain in the assessment tools or the
assessments themselves. For example, ODP is still limited in its
ability to compare and prioritize applications from one port with those
from a different location.
Procedures for the Fiscal Year 2005 Port-Level and National-Level
Assessments Have Been Strengthened:
At the port level, a key difference in ODP's fiscal year 2005 grant
procedures is that input from other stakeholders plays a more prominent
role in the award decisions. ODP obtained such input in prior years but
did not formally consider it in making decisions. For example, in
making its determinations for fiscal year 2004 grants, ODP sought input
from the Coast Guard Captains of the Port and from regional directors
of the Maritime Administration. These officials reviewed and ranked
port security grant applications based on their knowledge of the port
location and the results of various assessments, including the PS-RAT.
ODP officials said they considered this input, but they did not
integrate rankings into the evaluation forms used in the ODP assessment
process. In this regard, the DHS IG found that ODP should place greater
emphasis on risk reduction as part of the grant review
process.[Footnote 39] In responding to the IG's findings, for fiscal
year 2005, the rankings made by Coast Guard, Maritime Administration,
and state officials are part of the formula ODP uses to make final
decisions on grant awards.[Footnote 40] Additionally, the 2005 program
places greater emphasis on applications that are consistent with area
maritime security plan priorities.
ODP's adjustments to its fiscal year 2005 procedures are even greater
at the national level, where it has made a concerted effort to narrow
the program to ports of greatest concern, and to use threat,
vulnerability, and consequence data to rank and prioritize both ports
and applications. For grants made in fiscal year 2004, ODP considered
applications from all ports in making awards. For the 2005 program, ODP
worked with IAIP and the Coast Guard to develop a list of eligible
ports. The agency first identified the largest ports based on volume.
According to ODP officials, a risk formula was developed to rank each
of the ports. In May 2005, ODP determined that, on the basis of this
assessment, 66 of the 129 largest-volume ports across the country were
eligible for grant awards.[Footnote 41] ODP further prioritized the 66
ports by dividing them into four tiers--tier 1 representing those ports
with the highest risk and tier 4 representing ports with the lower
risk. ODP provided a set amount of money to each tier, and ports in
these tiers competed against each other for funding. In carrying out
its analyses, ODP also placed greater reliance on threat,
vulnerability, and consequence information.
Beyond reducing the number of ports eligible for the grant program,
another change ODP made at the national level was to prioritize
possible threat scenarios that grant funds should address, using input
from Coast Guard officials. ODP has given priority to applications that
prevent or detect threats arising from improvised explosive devices.
Such devices pose a threat to transportation systems across the nation
and have been used by terrorists in the past. Specifically, for the
2005 grant program, ODP has given priority to the following threat
scenarios:
* preventing and detecting improvised explosive devices delivered via
small craft,
* preventing and detecting underwater attacks from such devices, and:
* preventing and detecting vehicle-born improvised explosive devices on
ferries.
Challenges Remain for Improving Methods and Data:
ODP's assessment methodology, while improved, still faces challenges.
Progress in using risk assessment data to manage the grant program has
limitations in methods and data for informing award decisions. These
challenges, if addressed, would provide decision makers with more
reliable and complete data on which to prioritize and award grant
funds. The challenges fall into two main categories: (1) incomplete
threat, vulnerability, and consequence data and (2) methodological
inability to fully compare grant applications from one port with those
from another port.
Incomplete Data on Threats, Vulnerabilities, and Consequences:
Our review of ODP's risk assessment approach and our discussions with
ODP and Coast Guard personnel identified several challenges related to
data on threats, vulnerabilities, and consequences (see table
7).[Footnote 42] Many of these challenges mirror the challenges faced
by the Coast Guard that we described earlier in chapter 2.
Table 7: Examples of Data-Related Challenges in ODP Risk Assessments:
Data type: Threats;
Summary of challenge: Data on threats provide a useful starting point.
However, ODP is challenged, just as the Coast Guard is, in conducting
risk assessments without data on the relative likelihoods associated
with various threat scenarios. Information from the intelligence
community on such things as the presence of national or international
terrorist cells, and on the capability and intent of terrorist groups
as they relate to types of scenarios and the specific infrastructure
type, would enhance ODP's ability to model relative probabilities of
threat scenarios.
Data type: Vulnerabilities;
Summary of challenge: ODP's assessment of vulnerabilities does not take
into account actions that have already been taken to reduce
vulnerabilities (such as more patrols, fencing, and guards). While ODP
has prioritized certain scenarios, the vulnerability assessments are
not linked to specific threat scenarios, thus limiting the value of
vulnerability scores.
Data type: Consequences;
Summary of challenge: Similar to its assessment of vulnerabilities,
ODP's assessments of consequences are not linked to specific threat
scenarios. Instead, ODP uses values such as population density near a
port or cargo tonnage to measure consequences.
Source: GAO analysis of ODP's risk assessment for the port security
grant program.
[End of table]
The following examples illustrate the challenges posed by the
limitations in threat, vulnerability, and consequence data.
* Limitations in threat-related data. ODP's current characterization of
threat cannot be interpreted as an estimate of relative probability of
threat scenarios--a key element of risk assessment--in and around
ports.[Footnote 43] The problems we pointed out in chapter 2 about
threat data are applicable here as well: The threat information
available from intelligence agencies does not provide the type of data
that could be used to more fully inform ODP's decisions. More complete
data would include such things as information on the presence of
national or international terrorist cells, the capability and intent of
terrorist groups as they relate to types of attack, and on the specific
infrastructure types that have been attacked. ODP officials said that
the scarcity of threat data limits their ability to inform the decision-
making process and that decisions are based on the best available
combination of data and expert judgment. Because threat data are
limited, ODP bases its models on several proxies for risk. For example,
ODP used volume of cargo that moves into and out of ports as a way to
develop its list of the 129 ports that could initially be candidates
for the grant program. ODP then assessed the relative risk at these
ports by using, among other things, a threat variable represented by
the number of "credible threats and incidents" and the number of
"vessels of interest" (i.e., suspicious vessels) that use a port
facility. These data originated from the intelligence community, the
Coast Guard, and IAIP. ODP recognizes, however, that threat data on
ports are scarce, and data on the number of credible threats and
incidents and vessels of interest may not represent actual threats, but
instead could also represent other law enforcement problems, such as
illegal migrants or theft of goods and merchandise. The challenges in
developing reliable data on probability affect the overall risk
assessment for a port area, given a specific attack scenario. Without
data or models that measure the relative probability of various threat
scenarios, ODP may not target the most significant security concerns.
Limitations in vulnerability-related data. As we described in chapter
2, the Coast Guard's PS-RAT excludes from its analysis reductions in
vulnerabilities resulting from security measures that have already been
taken by the Coast Guard, such as inspecting passenger vehicles that
board ferries, escorting high-interest vessels, and establishing
security zones around the port. ODP's assessment of vulnerabilities
involves specific aspects of individual port areas themselves, namely,
data on the length of the channel leading to a port, the number of port
calls by all ships, and the number of tankers that use a port. While
such data are representative of the intrinsic vulnerabilities of a
port's location, they do not include such factors as guards, fences,
and cameras that are already in place; security zones that have been
established; or escorts of high-interest vessels that occur. As a
result, the assessment may overstate vulnerabilities for port
locations. Also important is the fact that ODP's approach to evaluating
port area vulnerabilities excludes consideration of specific threat
scenarios. For example, while they have identified certain threat
scenarios as priorities, the vulnerability indicators are not linked
directly to scenarios, such as the use of improvised explosive devices.
Without this linkage to the threat component of the risk assessment
process, ODP's approach to vulnerability assessments may not consider
certain factors, such as the number of areas in a port location where
recreational vessels are unmonitored, and how such factors may be
conducive to certain threat scenarios, such as loading improvised
explosive devices on such vessels.
Limitations in consequences-related data. The values used by ODP to
describe the consequences of a terrorist attack may not accurately
depict the damages resulting from a terrorist attack. In valuing the
consequences of an attack, ODP focuses on people-related, economic-
related, and national security-related measures.[Footnote 44] For
example, ODP uses maximum population density within 10 miles of a port
and the average number of daily ferry passengers to estimate the
consequences of a terrorist attack at a port, and it aggregates these
measures. Similarly, ODP uses international and domestic tonnages, the
amount of containerized cargo, and the dollar value of foreign trade to
measure the economic consequence of a terrorist attack. While these
provide a useful starting point, there are two issues related to this
approach. First, without linking these data to the relative probability
of various threat scenarios, ODP's estimate of consequences is limited
to inherent characteristics of a port rather than the estimated
consequences of various attack scenarios. In contrast, agencies such as
the Coast Guard estimate the number of lives lost and assign a dollar
value to the loss of human lives. Second, ODP aggregates the estimated
number of lives lost with the dollar value of foreign trade. Doing so
raises questions about the reliability and meaning of the final output.
Methodological Limitations:
As was the case with the Coast Guard, a key methodological limitation
affects one goal of risk assessments--informing decision makers on
relative risks across port locations. This limitation relates directly
to the ability to compare the relative risks of facilities at one port
with those at another port. When field review teams rank and prioritize
grant applications, they use several sets of data, including
information provided on the application, personal knowledge of the
port, and the results of the PS-RAT, which gives ranking information
for a given port area on vulnerability and consequence.[Footnote 45] As
discussed in chapter 2, PS-RAT, however, cannot now be used to compare
the risks at one port with those at another. PS-RAT allows ODP to
compare and prioritize key infrastructure within a port, but it does
not produce a risk ranking that permits ODP to compare and prioritize
infrastructure across ports. Coast Guard efforts to develop a tool that
examines relative risks across ports will aid ODP in addressing this
limitation.
Alternatives Evaluation: ODP Recognizes the Importance of Evaluating
Alternatives, but Tools for Doing So Are Limited:
Evaluation of alternatives--the third phase of GAO's risk management
framework--is an area that ODP recognizes as being an important part of
awarding grants, and the changes for fiscal year 2005 represent
progress in this area. One change for fiscal year 2005 involves
additional steps to consider benefits and costs. When ODP asks local
Coast Guard Captains of the Port to review applications, one criterion
it asks them to apply is which projects offer the highest potential for
risk reduction for the least cost. For 2005, ODP plans to augment
evaluation by conducting an analysis of costs and benefits of the
project (which considers the potential for risk reduction), and it
shares the results with the Coast Guard.
As part of this assessment, ODP plans to break out applications from
the 66 eligible port locations into four tiers and give applications
from ports that are in higher tiers more priority and more money. Port
areas with the highest risk are assigned to tier 1 and port areas with
the lowest risk are assigned to tier 4.
ODP's ability to assess proposed security improvements, like the Coast
Guard's, is influenced by the program goals and performance measures
that the component sets and the reliability and completeness of the
risk assessments that it carries out. However, when measurable
objectives are missing, the degree to which security gaps remain and
the extent to which progress has been made remain unclear. Similarly,
while PS-RAT provides a starting point for evaluating the proposed
measures and the extent to which the measure narrows security gaps
within a port, it was not designed to compare and prioritize relative
risks from one port to relative risks in a different port. This
condition limits ODP's ability to compare the benefits of proposed
security measures from an applicant at one port location with benefits
of proposed measures at a different port.
Management Selection: ODP Has Addressed Problems in Documenting
Differences between Initial Selection Recommendations and Final
Selection Decisions:
Earlier in this chapter, we discussed the importance--and difficulty--
of balancing potentially conflicting goals, such as ensuring that funds
are directed to projects of the greatest risk while at the same time
stretching limited federal dollars to the maximum degree. ODP's
selection of grants for 2004 illustrates the challenges in applying a
risk-based approach to awarding grants and the trade-offs involved in
attempting to balance risk and financial need as criteria. In order to
achieve accountability, federal standards for internal controls require
that all transactions and other major events need to be documented.
Basically, about 40 percent of ODP's final selection decisions were
different from the initial recommendations of lower-level evaluators,
without documentation from reviewers explaining why they disagreed with
the initial recommendations. According to officials involved in the
program, before the final selections were made, the Secretary of
Homeland Security issued guidance indicating that Fortune 500 companies
should be able to pay for their own security improvements and that
ferries and port authorities should receive higher priority in the
final award decisions than other applicants. ODP officials said that
the fact that they followed this new guidance affected the final
ranking of grant applicants. The tension between self-funding and
security priorities illustrates the need for effective internal
controls to ensure that procedures are followed and that the resulting
selection decisions are transparent and clearly documented. ODP has
taken action to address this problem.
In the 2004 grant award process, ODP's initial assessments resulted in
recommendations for funding 154 specific proposals.[Footnote 46]
However, our analysis of the final grant awards showed that about 40
percent of the initial 154 applications that were recommended for a
grant award by lower-level evaluators that examined grant applications
did not receive an award. Table 8 shows examples of the types of
changes that occurred.
Table 8: Examples of Changes in Funding Decisions:
Examples of projects initially recommended for funding but ultimately
not approved: One applicant requested grant funds to improve security
involving the construction of two main entrance access barricades,
perimeter lighting, and additional cameras. The applicant offered to
share costs--about 20 percent of the $468,000 that it was requesting.
After its initial review, ODP staff ranked this application as the
third highest and recommended it for an award. The final decision
ranked this applicant 228 out of 287 applicants, and the application
did not receive an award. According to staff familiar with this
project, the applicant received a lower ranking because it was a
Fortune 500 company.
Examples of projects initially recommended for funding but ultimately
not approved: Another applicant requested $225,000 in grants to
purchase cameras, fencing, and barricades around its facility, and it
committed to matching the requested amount. The initial headquarters
review recommended that the applicant receive an award and it ranked
the project as 25th out of 287 applicants. Local Coast Guard and MARAD
officials ranked this project as their top priority for the port,
noting that this chemical plant produces material that is highly
hazardous and that improving security at this facility had the Coast
Guard's "highest recommendation." This applicant did not receive an
award and it was ranked 236 out of 287 applications because it was a
Fortune 500 company.
Examples of projects initially recommended for funding but ultimately
approved: Another applicant requested a $1.1 million grant to augment
an existing police department surveillance and camera system of port
facilities on an around-the-clock basis. The initial headquarters
review did not recommend this application for an award and it was
ranked 279th out of 287 applicants. Comments from the initial review
showed that there was concern the project was not cost-effective
because "it appeared to duplicate another effort by the port or the
state and the project provided moderate risk reduction to identified
vulnerabilities." The reviewers noted that the applicant did not offer
to share in the cost of the project. However, ODP awarded $800,000 to
the applicant.
Examples of projects initially recommended for funding but ultimately
approved: A fourth applicant requested $1,105,200 to install protective
film on windows at its terminal location. Grant program procedures
stated that preference would be given to projects that prevent, deter,
and detect (an attack) over a project that involved new installation or
replaced existing infrastructure. On the basis of these guidelines, the
Coast Guard staff at one port location ranked this application as 50th
out of 55 applicants in its port zone. According to the staff, they
were instructed to raise the scores for this application, and as a
result, the applicant received an award for its application.
Source: GAO analysis of 2004 grant fund database.
[End of table]
These examples illustrate the trade-off between awarding grants to
applicants that are assessed, in part, based on risk or on providing
funds to applicants that have a financial need. The net result is that
when federal funds are used in this fashion, they may not address the
most severe security gaps in and around ports because there is no
guarantee that private sector firms will spend their own funds for
security improvements since it is unclear whether there are incentives,
such as minimum standards for security, that would motivate them to do
so.[Footnote 47] The competing goals of addressing the most significant
security needs and providing financial assistance to those entities
with less fiscal capacity call attention to the difficulty of achieving
a balance between these objectives and the need for selection decisions
that clearly document the trade-off.
In order to achieve a transparent process for accountability purposes,
federal standards for internal control require that all transactions
and other significant events need to be clearly documented, and that
documentation should be readily available for examination.[Footnote 48]
However, internal control procedures for documenting decisions,
including changes in project ranking, were not followed. The result is
that the rationale for award decisions was not always available. In
cases where an applicant's ranking would change by over 100 places,
there was no documentation that described the reason for the change. In
several cases where changes such as this occurred, it was noted that
the final selection board concurred with the original ranking, but no
reason was provided for the reprioritization. DHS's IG review also
found this lack of documentation. The IG recommended that the reviewers
be required to document their decisions in the grants management
system, particularly when the decisions are inconsistent with
recommendations from a lower level of review. DHS generally concurred
with the IG's recommendations and stated that it would require
reviewers to document their decisions as part of the 2005 grant
program. Our work showed that in the fiscal year 2004 grant program--
the most recent round prior to the issuance of the IG's report--such
documentation was still missing. For fiscal year 2005, ODP instituted
additional measures to ensure that decisions were documented as part of
the review process.
Implementation and Monitoring: ODP Has Instituted a Monitoring Plan for
Grant Awards:
ODP has made substantial progress in creating procedures that address
the fifth phase of the framework--implementation and monitoring; the
challenge lies in carrying them out. As we have described in this
chapter, ODP has taken a number of actions to base spending decisions
on risk-based data; it has, among other things, (1) developed
procedures for prioritizing port locations, (2) prioritized threat
scenarios, and (3) more closely aligned risk assessments to port
locations. In addition, ODP has coordinated its efforts with the Coast
Guard, the intelligence community, and other key stakeholders in
developing the procedures for the 2005 grant program. For the fiscal
year 2005 grant program, ODP has established procedures for monitoring
recipients after they have been funded. The monitoring consists of
follow-up after a project has been implemented to help ensure that the
project has been implemented in accordance with the grant award,
including timelines, budgets, and programmatic criteria are being met.
In addition, ODP requires that progress reports be submitted biannually
and a final project report be submitted within 120 days after the end
of the project.
A challenge that remains this phase of the risk management framework is
developing processes for feedback to improve the process used in
awarding grants. For example, our review of the 2004 grant awards show
that local officials, including Coast Guard officials and grant
applicants, did not receive feedback from ODP on why projects they
designated as high priority did not receive funding when lower-priority
projects did. According to ODP officials, they have instituted
processes for providing feedback to and obtaining feedback from grant
program stakeholders as part of the fiscal year 2005 program.
Conclusions:
The principles of risk management apply to the port security grant
program, and the lessons learned call attention to additional actions
that could build on the progress that has already been made. Depending
on the value placed on reducing the substitution of federal funds for
local funds, there are opportunities to further leverage federal
dollars in the program's design, and by leveraging federal funds,
additional security needs in and around ports could be addressed.
Additionally, without having performance measures in place, it is hard
to gauge what progress has been made and what security gaps remain. The
development of such measures should offer greater insights on the
extent to which funds are narrowing security gaps that exist or helping
to identify security needs that surface. The lessons of the program
also provide numerous insights into the way that multiple stakeholders,
such as the Coast Guard and IAIP, contribute to the way in which ODP
uses risk-based data in administering the program. As we described in
chapter 2, the Coast Guard has several efforts under way to improve its
risk assessment of ports, including developing data on the relative
probability of threat scenarios, improving data on consequences and
vulnerabilities that are linked to various threat scenarios, and
comparing risks among ports. ODP should be able to use the results of
such efforts to help in awarding grants that are consistent with the
priorities identified.
Recommendations for Executive Action:
To strengthen ODP efforts to implement a risk management approach to
its port security grant program, we recommend that the Secretary of
Homeland Security direct the Executive Director for ODP to undertake
the following three actions:
* Clarify, in its grant guidance, the conditions under which greater
leveraging of federal dollars should be included as a strategic goal
for the port security grant program.
* Develop measurable objectives for managing the grant program's
progress toward achieving strategic goals and use these measures to
gauge progress and make adjustments to the program.
* Coordinate efforts with the Coast Guard and IAIP to use more reliable
risk assessment data as they become available. At a minimum, such data
should include (1) the relative likelihood of various threat scenarios,
(2) consequences and vulnerabilities that are linked to terrorist
scenarios, and (3) a comparison of risks across ports.
Agency Comments and Our Evaluation:
In commenting on a draft of chapter 3, DHS, including ODP, generally
agreed with the findings and recommendations. Specifically, DHS said
that the recommendations are reasonable given that most of our review
took place prior to changes that ODP made to the program in fiscal year
2005. DHS said that it appreciated our efforts to review the fiscal
year 2005 port security grant program requirements even though most of
our work had been completed. DHS stated that several of the
recommendations have already been addressed, and it noted that the
remaining ODP-related recommendations will be addressed in the fiscal
year 2006 port security grant program, at least to the extent possible.
In addition to commenting on our findings and recommendations, DHS
provided technical comments under separate cover, and we revised the
draft report where appropriate. Written comments from DHS are in
appendix II.
[End of section]
Chapter 4: IAIP Faces Challenges in Meeting Risk Management
Responsibilities across All Sectors of the Nation's Infrastructure:
The Information Analysis and Infrastructure Protection Directorate
within DHS faces broad and extensive challenges in meeting its risk
management responsibilities and thus far has made limited progress.
Relative to the Coast Guard and ODP, IAIP's risk management
responsibilities are much wider and more difficult: Instead of
comparing risks across port assets, it must find ways to compare risks
at ports with risks in other sectors, such as public health, energy,
and banking and finance. Challenges remain across all of the phases of
GAO's risk management framework (see table 9). For the first phase
(goals and objectives), while IAIP's efforts are anchored to strategic
goals in various executive branch strategies and an interim national
plan, IAIP's challenge is to continue developing the national plan to
provide performance measures and associated steps and milestones. In
the second phase, IAIP has begun several key risk assessment efforts
but has had limited success in completing them. For example, IAIP faces
challenges in developing data on the relative likelihood of various
threat scenarios--a key part of the assessments it must conduct under
the Homeland Security Act of 2002--because the information produced by
the intelligence community is of limited use for risk assessment
purposes, according to IAIP officials. IAIP has plans to develop such
data by coordinating its efforts more closely with the intelligence
community. Additionally, IAIP has yet to successfully complete the
difficult task of comparing and prioritizing assets within and across
sectors, but it plans to have an interim assessment done by the end of
2006. IAIP's challenge in the final three phases (evaluating
alternatives, selecting approaches, and implementation and monitoring)
are related heavily to IAIP's unique role: It recommends what the
security priorities should be to other federal agencies and nonfederal
stakeholders and recommends how best to address them, but it is largely
dependent on other stakeholders, public or private, to take any
actions. The decision to implement security improvements is made by
stakeholders alone. Moreover, IAIP acknowledges that it can further
leverage work that has already been done in this area by other federal
agencies that have regulatory authorities over certain private sector
infrastructure owners. IAIP's challenges center on developing credible
guidelines and approaches that can leverage work already done and
foster concurrence in risk analysis results and encourage actions to be
taken.
Table 9: Summary of Progress Made and Challenges That Remain in IAIP's
Risk Management Approach:
Risk management phase: Strategic goals, objectives, and constraints;
Examples of progress made: Strategic goals have been laid out in
various national strategies, and IAIP issued the Interim National
Infrastructure Protection Plan (NIPP), which, among other things, is
intended to guide the process for identifying, comparing, and
prioritizing critical assets within and across sectors;
Examples of remaining challenges: As IAIP works to complete the interim
NIPP, it will be challenged to develop performance measures and
detailed timelines or target dates for identifying and prioritizing
critical infrastructure.
Risk management phase: Risk assessment;
Examples of progress made: IAIP has developed a national database of
critical infrastructure assets and a series of benchmark threat
scenarios to be used to analyze potential attacks. IAIP has used these
scenarios to develop data collection instruments for two types of
assets (nuclear plants and chemical plants) to assess their
vulnerabilities;
Examples of remaining challenges: IAIP faces challenges in developing a
methodology so that it can develop data on the relative likelihood of
various threat scenarios--a key element of risk assessment it must
conduct under the Homeland Security Act. It also faces challenges in
developing a methodology for prioritizing assets within and across
sectors.
Risk management phase: Alternatives evaluation;
Examples of progress made: IAIP has developed tools for owners and
operators of selected critical infrastructure assets to estimate the
consequences of an attack and perform vulnerability assessments. This
information is a prerequisite when valuing costs and benefits and
prioritizing among different assets;
Examples of remaining challenges: IAIP and the owners or operators of
critical infrastructure may not agree on the costs and benefits of
protective actions. Developing the methodology for prioritizing assets
will also be important for progress in this phase. IAIP plans to
develop procedures in 2006 for quantifying costs and benefits.
Risk management phase: Management selection;
Examples of progress made: IAIP is pursuing partnerships to encourage
the responsible owners and operators to implement IAIP recommendations.
IAIP is also developing a risk management decision support framework to
facilitate government authorities' selection of risk management policy,
programs, and budgetary options;
Examples of remaining challenges: In most cases, IAIP does not have
authority to make the selection; its role in this regard is advisory.
Thus, its challenge is to develop ways to help ensure that owners,
operators, and state and local government authorities make informed
choices, ensure that federal decisions are informed by risk-based data,
and leverage the regulatory authorities of other agencies.
Risk management phase: Implementation and monitoring;
Examples of progress made: IAIP has limited responsibilities in
implementing programs that result in improved infrastructure
protection. It provides funds to ODP through a Buffer Zone Protection
Program that involves efforts to reduce vulnerabilities in and around
facilities and assets;
Examples of remaining challenges: IAIP is similarly challenged by a
lack of authority in implementing protective measures to protect
critical infrastructure. Also, IAIP cannot require state and local
governments to use federal funds on specific infrastructure protection
measures. In addition, IAIP is challenged to get intelligence data
specific enough to develop measures for determining whether protective
actions are actually deterring or minimizing the impact of terrorist
attacks.
Source: GAO analysis of IAIP's risk management practices.
[End of table]
IAIP Plays a Key Role in Evaluating Risk across Infrastructure Sectors:
While risk management is one of several tools for the Coast Guard and
ODP, risk management is central to one of IAIP's key missions, which is
to establish a risk management framework across the federal government
to protect the nation's critical infrastructure and key
resources.[Footnote 49] The Homeland Security Act of 2002 made IAIP
responsible for critical infrastructure protection (CIP) functions,
charging IAIP with broad responsibility for developing a comprehensive
national plan for securing the key resources and critical
infrastructure of the United States. IAIP's statutory responsibilities
require it to conduct risk management activities on a national scale
and to gather the information needed to do so from other federal
agencies, state and local government agencies, and private sector
entities.[Footnote 50] By statute, IAIP is responsible for:
* identifying, detecting, and understanding threats in light of actual
and potential vulnerabilities to the homeland;
* conducting comprehensive assessments of the vulnerabilities of the
key resources and critical infrastructure of the United States;
* conducting risk assessments to determine the risks posed by
particular types of terrorist attacks and how likely they are to
succeed, as well as the feasibility and potential efficacy of various
countermeasures;
* identifying priorities for protective and support measure by DHS,
other federal agencies, state and local governments, the private
sector, and other entities; and:
* recommending measures to protect the critical infrastructure and key
resources of the United States in coordination with other federal
agencies and in cooperation with state and local governments, the
private sector, and other entities.[Footnote 51]
In December 2003, the President issued Homeland Security Presidential
Directive-7, Critical Infrastructure Identification, Prioritization,
and Protection, which established the framework in which IAIP carries
out its responsibility of coordinating the overall national CIP effort.
Current CIP policy, as described in HSPD-7, defines responsibilities
for DHS, sector-specific agencies, and other departments and agencies.
It instructs federal departments and agencies to identify, prioritize,
and coordinate the protection of critical infrastructure to prevent and
deter attacks, and mitigate the effects of any attacks that may occur.
To ensure the coverage of critical sectors, HSPD-7 designated sector-
specific agencies for the critical infrastructure sectors identified in
the National Strategy for Homeland Security (see table 10). These
agencies are responsible for infrastructure protection activities in
their assigned sectors, which include coordinating and collaborating
with relevant federal agencies, state and local governments, and the
private sector to carry out their responsibilities and facilitating the
sharing of information about physical and cyber threats,
vulnerabilities, incidents, potential protective measures, and best
practices. For example, the transportation sector, for which the
Department of Homeland Security is assigned responsibility, includes
the movement of people and assets that are vital to the nation's
economy, mobility, and security. The maritime shipping infrastructure,
a component of the transportation sector, includes ports and their
associated assets, ships, passenger transportation systems, and other
maritime transportation assets. Each sector may also include a number
of systems and "key assets"--some of which include individual targets
whose attack could cause large-scale human casualties or property
destruction, or profoundly damage national prestige and
confidence.[Footnote 52]
Table 10: Critical Infrastructure Sectors and Lead Federal Agencies:
Sector: Agriculture;
Sector-specific agency: Department of Agriculture and Department of
Health and Human Services.
Sector: Banking and finance;
Sector-specific agency: Department of the Treasury.
Sector: Chemicals and hazardous materials;
Sector-specific agency: Department of Homeland Security (IAIP).
Sector: Defense industrial base;
Sector-specific agency: Department of Defense.
Sector: Emergency services;
Sector-specific agency: Department of Homeland Security (IAIP).
Sector: Energy;
Sector-specific agency: Department of Energy.
Sector: Food;
Sector-specific agency: Department of Agriculture and Department of
Health and Human Services.
Sector: Government;
Sector-specific agency: Department of Homeland Security (Federal
Protective Service).
Sector: Information technology and telecommunications;
Sector-specific agency: Department of Homeland Security (IAIP).
Sector: Postal and shipping;
Sector-specific agency: Department of Homeland Security (TSA).
Sector: Public health and health care;
Sector-specific agency: Department of Health and Human Services.
Sector: Transportation;
Sector-specific agency: Department of Homeland Security (TSA).
Sector: Drinking water and water treatment systems;
Sector-specific agency: Environmental Protection Agency.
Source: GAO analysis of the President's national strategy documents and
HSPD-7.
[End of table]
Under HSPD-7, the overall national CIP effort is to be coordinated by
DHS, a responsibility carried out by IAIP, subject to the DHS
Secretary's direction and control, as provided in the Homeland Security
Act of 2002. The DHS Secretary has several overarching CIP
responsibilities under HSPD-7, including identifying, prioritizing, and
coordinating CIP within and across sectors, with an emphasis on
critical infrastructure and key resources that could be exploited to
cause catastrophic health effects or mass casualties. In addition, the
Secretary is required to establish uniform policies, approaches,
guidelines, and methodologies for integrating CIP and risk management
activities within and across sectors, along with metrics and criteria
for related programs and activities.
Strategic Goals, Objectives, and Constraints: High-Level Goals in Place
and Interim Plan Drafted, but Performance Measures and Milestones Have
Yet to Be Developed:
A number of strategic goals are in place to guide IAIP's broad
responsibilities. They stem from the Homeland Security Act of 2002 and
the following executive branch documents:
* The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets.[Footnote 53] Issued in February 2003,
this strategy identified a set of national goals and objectives and
outlined the guiding principles that underpin efforts to secure the
critical infrastructure and key resources of the United States. The
strategy recognizes that adequate protection of critical infrastructure
requires (1) comprehensive threat assessment and analysis; (2)
effective and efficient risk assessment; and (3) security baselines,
standards, and guidelines.
* Homeland Security Presidential Directives 7 and 8. Both directives
were issued on December 17, 2003. HSPD-7 established a national policy
for federal departments and agencies to enhance the protection of
critical infrastructure and key resources and made DHS responsible for
establishing uniform policies, approaches, guidelines, and
methodologies for integrating nationwide infrastructure protection and
risk management activities. HSPD-8 calls for a national preparedness
goal that balances the potential threat and magnitude of terrorist
attacks with the resources required to prevent, respond to, and recover
from them--a risk management approach calling for an estimate of the
likelihoods and expected consequence of possible terrorist attacks that
takes finite resources into account.
* The Interim National Infrastructure Protection Plan (interim NIPP).
The Secretary of DHS assigned IAIP the responsibility for developing a
national infrastructure protection plan. The interim NIPP was released
in February 2005.[Footnote 54] It calls for the use of a risk
management framework that takes into account threats, vulnerabilities,
and consequences when comparing and prioritizing critical
infrastructure and deciding what actions to take to protect them. This
framework is intended to be carried out both within sectors and
nationally across sectors. It is to contain steps for narrowing the
overall set of assets to those that are most critical at a national
level.
We have reported that the interim NIPP is not a comprehensive document,
and IAIP faces several challenges in making it more
comprehensive.[Footnote 55] These challenges are in two main areas:
* Performance measures. Although the interim NIPP did not contain
performance metrics to measure effectiveness, it recognized that they
are needed and calls on IAIP and the sector-specific agencies to
develop them. According to IAIP officials, this is being done in two
phases. For the first phase, IAIP has identified a set of basic core
metrics that can be used to evaluate performance across all sectors, as
called for in the interim NIPP. IAIP is also working with agencies
responsible for specific sectors to develop a supplemental set of
metrics for each sector. The intent of this measurement process is to
provide DHS and the sector-specific agencies with feedback on where and
how they should focus their resources to be most effective. According
to IAIP officials, the second phase involves, in part, monitoring the
progress of each sector in implementing the risk management framework
laid out in the interim NIPP. To date, however, IAIP and the sector-
specific agencies have not completed the performance metrics called for
in the interim NIPP.
* Milestones and timelines. The interim NIPP did not contain milestones
for the development of sector-specific plans or timelines of target
dates for identifying and prioritizing critical infrastructure.
According to IAIP officials, the final version of the NIPP, after
undergoing interagency review, will be released in 2006, and it will
contain milestones and timelines for the initial phase of developing
performance metrics. It is not clear, however, if this final version
will contain milestones and timelines for sector-specific plans or for
completing the process of prioritizing critical infrastructure.
Risk Assessment: IAIP Faces Substantial Gaps and Has Made Limited
Progress:
IAIP's progress in risk assessment has not been as extensive as the
Coast Guard's or ODP's. Its area of greatest progress is in developing
a national database of assets that constitutes the nation's critical
infrastructure. In two other key respects, however, it faces major
challenges in carrying out requirements specified in law or policy
directives. These challenges are in developing adequate data on threats
and creating a methodology for making cross-sector comparisons.
Progress Is Greatest on Database of Critical Assets:
IAIP has developed the National Assets Database (NADB), an inventory of
approximately 80,000 assets, as a starting point in being able to
evaluate and prioritize them. The NADB includes such facilities as
nuclear power plants, pipelines, bridges, stadiums, and locations such
as Times Square. Assets in the NADB are gathered from a variety of
public and private sector sources, including federal, state, and local
databases; prior studies containing lists of infrastructure and
resources; and sector-specific data collection activities. The database
is revised as assets are added and removed in collaboration with state
and local officials and with representatives of sector-specific
agencies. According to IAIP officials, this database is intended to
produce baseline data that will later allow for assessments of
vulnerabilities by location, within sectors, and across
sectors.[Footnote 56]
Development of Threat Data Faces Challenges:
IAIP has begun work to develop threat scenarios and analyze them. The
Homeland Infrastructure Threat and Risk Analysis Center (HITRAC),
staffed by sector specialists and intelligence analysts with
backgrounds from the intelligence community, is responsible for
generating these plausible threat scenarios--called benchmark threats.
HITRAC has developed 16 benchmark threats, such as a suicide bomber, a
vehicle-borne improvised explosive device, and a weapon of mass
destruction. IAIP faces two substantial challenges, however, in
completing this work.
* Relative probability for threat scenarios not yet developed. First,
IAIP faces challenges in developing a way to differentiate the relative
probability of various threats. Under the Homeland Security Act of
2002, IAIP must perform risk assessments to determine the risks posed
by particular types of terrorist attacks, including an assessment of
the probability of success of such attacks.[Footnote 57] IAIP officials
stated that a lack of intelligence data and law enforcement data limits
their ability to develop the relative probability for various threat
scenarios, and for this reason, they have focused their initial efforts
on developing vulnerability and consequence data. According to IAIP
officials, the intelligence community--including the intelligence
components of DHS--has been unable to provide detailed intelligence on
threats to most sectors, infrastructure, assets, or asset
types.[Footnote 58] Assigning equal likelihood to various threat
scenarios would mean IAIP's risk assessments will not include key
threat data on the capabilities and intent of terrorist groups, the
history of terrorist threats on various asset types, or the existence
of terrorist cells domestically or internationally. And because data on
the relative likelihood of threat scenarios are not included, the
assessments will emphasize high-consequence events that may have a low
probability of occurring. This approach is bound to result in
potentially unreliable or incomplete data on where to establish
priorities. In September 2005, IAIP officials told us that they
recognize the importance of developing data on the relative likelihood
of an attack type, and that doing so is part of their responsibility
for meeting the requirements of the Homeland Security Act. Officials
told us that they plan to assess the likelihood of threats by having
HITRAC develop consistent comparative threat assessments by integrating
intelligence sources, law enforcement data, and suspicious activity
reporting with subject matter expertise. IAIP officials caution,
however, that the directorate may not be able to estimate the relative
likelihood of some threat scenarios, and as a result, some assessments
may emphasize high-consequence events that have a low probability of
occurring. Also, officials indicated that some inaccuracy is to be
expected when HITRAC examines the intent and capability of an adversary
whose plans are concealed and that it will be important to reduce the
potential of low-confidence assessments having undue influence when
long-term investment decisions are made.
* Vulnerability assessments not yet developed for many infrastructure
sectors. Second, IAIP has not yet developed vulnerability assessments
for the full spectrum of infrastructure sectors. As of August 2005,
IAIP had managed the development of vulnerability assessment
questionnaires for two components of critical infrastructure--nuclear
facilities and chemical facilities. Initially, IAIP's contractor was
scheduled to assess asset types in 8 of the 18 sectors and key assets
by the end of 2005. However, according to IAIP officials this work will
be done by the end of 2006.[Footnote 59] IAIP officials did not have an
estimate as to when the assessments would be complete for all other
sectors of critical infrastructure that it is responsible for
assessing.[Footnote 60]
Methodology for Cross-Sector Comparisons Has Experienced Setbacks:
IAIP has experienced setbacks in its attempts to meet HSPD-7's
requirement to develop a strategy for identifying, prioritizing, and
coordinating the protection of critical infrastructure. To prioritize
the protection of this infrastructure, IAIP has been working for about
2 years on a methodology for assessing vulnerabilities of critical
infrastructure to help inform comparisons of risks on an intrasector
and cross-sector basis. This methodology has been delayed because of
methodological concerns, and IAIP's schedule for completing various
other activities needed to meet the requirement is dependent on the
methodology and now appears uncertain.
IAIP developed an analytical assessment tool known as the Risk Analysis
and Management for Critical Assets Protection methodology (RAMCAP).
RAMCAP was begun in November 2003, when DHS awarded the American
Society of Mechanical Engineers (ASME) a $1.6-million grant to develop
an overarching methodological guide for the private sector to assess
its terrorism security risks. Originally, DHS expected RAMCAP to
advance homeland security efforts by providing a usable, affordable
vulnerability and risk assessment methodology for owners and operators
to use that would inform risk management decision in the private
sector. Now, IAIP views it as an independent effort that will
complement IAIP risk assessment efforts at comparing risks within and
across sectors.
When RAMCAP was released for comment in April 2004, ASME received
comments from over 100 officials from industry, academia, and
government. A peer review process produced additional comments. The
comments centered on several issues, including concern about the amount
of resources needed to assess risks and the limited benefits in
creating self-assessments for industry without knowing what the purpose
of the effort involved.[Footnote 61] In June 2004, ASME altered its
approach based on this feedback and began a broad outreach effort to
involve industry in developing vulnerability assessment modules.
In December 2004, IAIP awarded a $4 million contract to ASME to
continue its efforts in developing RAMCAP and vulnerability assessment
modules for owners and operators of asset types in eight
sectors.[Footnote 62] After developing pilot modules for the chemical
and nuclear industries, in August 2005, ASME produced a new working
draft of RAMCAP. According to IAIP, RAMCAP may undergo minor revisions
as more modules are completed. IAIP officials stated that more
substantial revisions to RAMCAP will likely occur when IAIP broadens
its approach to infrastructure protection by examining the entire
systems and interdependencies within and across sectors.
In September 2005, IAIP informed us that it is developing a National
Comparative Risk Assessment for the 18 critical infrastructure sectors
and key assets, and it plans to complete an interim assessment by the
end of 2006. The assessment has several phases. It involves sector-
specific agencies identifying the top 100 high-risk systems and assets
in their sector based on potential consequences. IAIP officials said it
requested agencies to develop their lists by July 2005. However, the
degree to which agencies will be able to fully respond to the request
is uncertain. For example, as of July 2005, the Transportation Security
Agency had begun but not yet completed a risk assessment for the
passenger rail sector, and it did not indicate when the assessment
would be done. Additionally, TSA did not expect to have the first
version of its sector-specific plan--the plan that describes its risk
assessment methodology--until February 2006. Until agencies such as TSA
complete their assessments and develop their sector-specific plans,
they will not be able to determine relative risks within their sector
in a consistent fashion.[Footnote 63]
Whether IAIP will be able to complete this interim assessment by the
end of 2006 may be complicated by two other factors. First, in
September 2005, IAIP officials said that IAIP still needs to award the
contract for this effort, and officials did not provide a schedule for
when this would occur. Second, the degree and extent to which IAIP will
need to obtain input from the private sector in developing this
assessment tool is unclear. In developing the vulnerability assessment
modules for sector-specific industries, IAIP's consultant and industry
groups worked extensively with each other in developing the modules. If
similar coordination and communication efforts are needed to complete
the interim assessment, it may call for additional time and resources.
According to IAIP officials, once the initial rankings are made,
subject matter experts will review the results and the results of
previous analyses will be used to refine the rankings within a sector
and ultimately across sectors. IAIP plans to use the interim results to
inform homeland security grant programs and serve as a basis for
further risk management efforts. The results of the vulnerability
assessment modules that are being developed will inform the national
assessment and will act as a basis for interaction with the private
sector, according to IAIP.
The interim National Comparative Risk Assessment is intended to meet
the immediate need of examining relative risk within and across
sectors. However, there are limitations on the degree to which the
interim assessment will produce comparable, consistent, and reliable
data for setting national priorities. First, only vulnerability
assessments of asset types in 8 of 18 sectors and key assets are
scheduled for completion by the end of 2006, while the schedule for
completing assessments on other sectors or asset types is unclear--
suggesting that vulnerability data on some sectors will be more
reliable than data on other sectors. Second, the interim assessment
will likely involve a heavy emphasis on consequence-related data, and
less information on the relative likelihood of threat scenarios and
data on vulnerability--two major components of risk assessment. Third,
as sector-specific agencies develop their list of high-risk assets, it
is unclear whether they will do so in a consistent and uniform fashion,
because the overarching framework that guides these actions is not yet
in place. In September 2005, we reported that completing the element of
the framework that defines concepts, terminology, and metrics for
assessing risk limits DHS's ability to compare risk across
sectors.[Footnote 64] IAIP recognizes that engaging sector-specific
agencies in assessing risk in a consistent way is key. IAIP now intends
the National Comparative Risk Assessment to provide such guidance, but
until this assessment is issued, it is unclear where the guidance will
come from. Limitations such as these, according to IAIP, are driven to
some degree by resource and time constraints.
Evaluating Alternatives: Lack of Guidance and Consensus on Costs and
Benefits Creates Challenges:
The alternatives evaluated by IAIP differ somewhat from the
alternatives evaluated by the Coast Guard (as discussed in chapter 2)
or ODP (as discussed in chapter 3). The Coast Guard evaluates
alternatives related directly to how it deploys its own resources, such
as increasing security patrols, boarding suspicious vessels, creating
and enforcing security zones, and using its regulatory powers to force
maritime facilities to adopt protective measures. ODP evaluates
alternatives that relate directly to its grant awards; the alternatives
are the various funding proposals for security-related infrastructure
improvements. In contrast, the alternatives that IAIP evaluates are
generally not based on actions IAIP can take. Instead, they are based
on identifying, from a national standpoint, the (1) areas of greatest
risk and (2) infrastructure protection strategies that offer the
greatest benefit for the cost involved. In this regard, IAIP faces
several challenges.
One challenge faced by IAIP in evaluating alternatives is the
difficulty in valuing costs and benefits in a homeland security
setting--an important tool for evaluating alternatives. OMB has
guidance for federal agencies on how to evaluate alternative government
actions, but this guidance is of limited use in assessing alternatives
for risk management for homeland security programs. OMB has identified
various tools it considers useful in planning, such as cost-benefit
analysis, capital budgeting, and regulatory decision making.[Footnote
65] However, such tools are difficult to apply to homeland security
expenditures, even when such application is encouraged in the National
Strategy for Homeland Security, because the benefits of homeland
security investments are hard to quantify. Because OMB guidance is
relatively silent on acceptable treatment of nonquantifiable benefits,
there is a lack of criteria to guide federal analysts in conducting
risk management. In response to our inquiries, OMB officials told us
that they have not been involved in implementing Homeland Security
Presidential Directive-7, which is related to critical infrastructure
protection. In addition, they said that they have not been developing,
nor did they have plans to start developing, guidance on risk
management methodologies for federal agencies to use for homeland
security programs. They said that they would rely on DHS and IAIP to
take the federal government lead in developing such methodologies. IAIP
officials said they plan to develop procedures in fiscal year 2006 for
quantifying costs and benefits of mitigation strategies.
Another challenge faced by IAIP in evaluating alternatives, at least in
terms of ranking assets and protective actions to prevent and mitigate
attacks, is that other entities responsible for taking such protective
actions may use different criteria for evaluation. That is, the
federal, state, local, or private sector entities that own and operate
much of the nation's critical infrastructure may disagree with IAIP on
how to evaluate alternatives through assessing benefits and costs or
other types of evaluation. This lack of consensus could lead to two
separate evaluations of alternatives--one by IAIP and one by the entity
that owns and operates the asset. While IAIP may view certain assets or
protective actions as critical, those responsible for the assets and
protective actions may view the assets and actions as marginal or not
necessary at all, or vice versa. According to IAIP officials, state and
local government and industry stakeholders will benefit from using the
same assessments, but the value that is placed on the assessment may
differ from one stakeholder to another. As an example, Washington state
emergency management officials told us that their initial listing and
ranking of critical assets was much different than that developed by
IAIP. State officials may place greater weight on attack scenarios that
result in impacts on children or disadvantaged communities. Industry
may place greater weight on scenarios that disrupt the long-term
viability of a business. IAIP's challenge is discerning whether federal
risk concerns are managed appropriately and that the costs for managing
risks are assigned as much as possible to the authority that benefits
from the activity. In addition to these considerations, Congress also
has a role in appropriating federal funding of protective programs.
Management Selection: IAIP Challenged in Protecting Infrastructure
because of Its Limited Role in Selecting Alternative Protective
Measures:
As with the alternatives evaluation part of GAO's framework, IAIP's
management selection differs from how the Coast Guard or ODP makes
decisions. While the Coast Guard decides what protective measures to
take and ODP decides which applicants receive funding for port
security, IAIP is not in a position to direct others on how to act.
IAIP officials said that while they have the responsibility of helping
set risk-based priorities concerning where resources should be spent
for protecting critical infrastructure, IAIP does not have the
authority to direct the management of these resources in many cases.
For example, IAIP does not have authority to compel owners and
operators of critical infrastructure to take action. Instead, IAIP
recommends the relative priority of critical infrastructure and
specific protective measures. Other entities, such as owners,
operators, or agencies with more direct regulatory responsibilities,
can then act on IAIP recommendations and technical advice. The one
exception is IAIP's Buffer Zone Protection Program, which we discuss in
the section following on implementation and monitoring.
At the departmental level, DHS may use the IAIP priority list to direct
one of its component agencies to take specific actions. As examples,
IAIP priorities could be used by U.S. Customs and Border Protection to
increase the scrutiny of cargo containers at a specific port terminal,
by the Secret Service to increase security for the President, by the
Federal Emergency Management Agency to help improve local response
capabilities near specific facilities, or by ODP to provide grants to
specific facilities. In some cases, DHS components may have some
authority over private infrastructure owners--such as the Coast Guard's
regulatory powers related to implementing the Maritime Transportation
Security Act. For example, the Coast Guard approves vulnerability
assessments and mitigation strategies developed by owners and operators
of facilities and vessels and it reviews whether the owners and
operators are complying with their plans. However, in most cases, DHS
and its components do not have authority over the owners and operators
of critical infrastructure, particularly in the private sector.
Thus, the challenge for IAIP (and DHS at the department level) is that
it generally does not have authority over the entities that make
management decisions to select among alternative protective measures.
In such cases, IAIP's role is limited to providing information on how
it views the relative strengths and weaknesses of the alternatives and,
sometimes, technical advice on how these entities could improve the
security of their assets. IAIP officials said they use their expertise
and powers of persuasion to get the owners and operators to take
specific protective actions. IAIP officials also said that IAIP works
closely with industry groups to set standards and promote voluntary
compliance.
Certain protective measures could have application across multiple
threat scenarios. The interim NIPP does not describe what IAIP's plans
are for analyzing its benchmark threat scenarios and developing
information that could help owners and operators reduce risk by
protecting their facilities with countermeasures that address multiple
scenarios. For example, improving security operations could reduce the
risk of multiple threats, such as suicide bombers, truck bombs, or
weapons of mass destruction. Having sufficient emergency supplies could
address the consequences of casualties or damaged infrastructure that
occur from various attack modes. By not having plans to develop
information on what countermeasures could address multiple threat
scenarios, IAIP is limited in it ability to provide information that
informs owners and operators of facilities of ways to protect their
facilities in a cost-effective fashion. According to IAIP, it is
considering this in the cost-benefit framework that is being developed.
IAIP's lack of authority over the owners and operators of critical
infrastructure highlights the importance of coordination among
different federal agencies. Several federal agencies with lead
responsibilities for specific sectors of infrastructure do have
regulatory authorities that could be used to set security standards and
compel protective measures. For example, the Department of the Treasury
and the Securities and Exchange Commission and other agencies have
regulatory authorities over financial markets and can compel them to
take certain protective measures. While DHS generally does not have
authority over many of the assets in those sectors in which it has lead
responsibility, some other federal agencies do. For example, the
Nuclear Regulatory Commission, which issues licenses to commercial
nuclear power plants, has clear regulatory authority over security
matters at these facilities. While each sector has a Government
Coordinating Council that includes representatives from federal
agencies involved in the sector, IAIP recognizes that it can further
leverage work that has already been done by other agencies that have
regulatory authority over certain private sector owners. This condition
brings attention to the need for IAIP to coordinate with these agencies
to leverage federal authority in areas where oversight already exists.
Implementation and Monitoring: IAIP Is Also Challenged by Its Limited
Role in Implementation and Limited Information on Effectiveness:
IAIP has a limited role in implementing its own protective programs, as
well as in monitoring the effectiveness and level of implementation of
security risk management programs broadly. An example of IAIP's role in
implementing protective programs is the Buffer Zone Protection Program.
Managed by the Protective Security Division within IAIP, the program is
designed to make it more difficult for terrorists to conduct planning
activities or successfully launch attacks from the immediate vicinity
of critical infrastructure and key resource targets. The goal of the
program is to assist state and local government, local law enforcement,
and owners and operators in preventing, defending against, preparing
for, and mitigating the impacts of terrorist attacks. The program does
so by making grants available, through ODP, to state and local law
enforcement to implement buffer zone protection plans "outside the
fence" of private facilities, as well as by conducting workshops and
technical assistance visits.
However, IAIP's role in implementing protective measures is much more
limited "inside the fence" because IAIP does not own or operate any
assets, have regulatory authority over those entities that own or
operate the assets, or provide funds for such entities. Owners and
operators of the infrastructure assets--be they federal, state, local,
or private--are responsible for implementing the protective actions
needed. As previous GAO work has shown, public policy tools have been
used as an approach to encourage increased private sector critical
infrastructure protection efforts even when regulatory authority is
lacking.[Footnote 66] In terms of monitoring implementation of actions
to increase the protection of critical infrastructure, however, IAIP
does have a role. Its mission is to assess the overall state of
critical infrastructure protection in the nation.
In its monitoring role, IAIP faces a number of challenges. The first
challenge is that there are currently no performance measures to
evaluate the effectiveness of infrastructure protection. The interim
NIPP, while calling for such measures, does not offer any. According to
IAIP officials, such performance metrics will not be available before
2006. One of the difficulties encountered is that it is hard to develop
performance measures to gauge homeland security activities that are
directed at modifying terrorist behavior. For example, it is difficult
to determine whether measures to improve the protection of critical
infrastructure have a deterrent effect on terrorists. In some cases,
deterring terrorists from attacking "hard" targets (those that are
heavily protected) might have the effect of directing the terrorist
toward attacking "soft" targets (those that are lightly protected).
Conclusions:
IAIP's role in risk management is critical because of its breadth. IAIP
has overall responsibility to identify critical assets across all
sectors of the nation's infrastructure, as well as to play a lead role
in developing methodologies and guidance for analyzing risks and
assessing the benefits and costs of security alternatives. Progress in
most areas of responsibility has been limited, and much challenging
work remains to be done. In particular:
* Good threat data are critical to conducting risk management. During
the course of our review, IAIP recognized the importance of developing
information on the relative probability to various threat scenarios.
Until better data on threats are developed, risk-based data may not
fully inform decisions on where to establish priorities.
* Even with better threat data, assets cannot be compared across
sectors without a methodology for doing so. Currently, IAIP is
developing a methodology to do this, but it is not yet comprehensive,
nor has it been applied. Until such a methodology is fully developed,
IAIP will be challenged in conducting a national-level assessment of
risks, a key element of IAIP's core responsibility. Without a
methodology, it will not be possible for IAIP to make a determination
of relative risks that could help inform decisions on resource
allocation.
* Comprehensive planning and performance measures are necessary to
clarify what needs to be done and to determine progress in critical
infrastructure protection. The National Infrastructure Protection Plan
is still in interim form, leaving open many questions about how
specific sectors will be protected and how performance will be
measured. Without target dates for completing sector-specific plans and
performance measures, it will not be possible to determine IAIP's
progress in these areas. Additionally, without having plans to develop
information on what protective measures could address multiple threat
scenarios, IAIP's ability to inform owners and operators of ways to
protect their facilities in a cost-effective fashion is limited.
In all, the lack of progress leaves many decision makers basically on
their own to develop a way to determine where scarce resources need to
be applied against almost unlimited numbers of assets to maximize the
protection of critical infrastructure and security for the homeland.
Recommendations for Executive Action:
To help ensure the development of risk management approaches to
homeland security activities, we recommend that the Secretary of
Homeland Security direct the Undersecretary for IAIP to undertake the
following three actions:
* Work with the intelligence community to develop ways to better assess
terrorist threats and use available information and expert judgment to
develop a relative probability for various terrorist scenarios and
provide this information to sector-specific agencies;
* As tasked by presidential directive, develop a methodology for
comparing and prioritizing risks of assets within and across
infrastructure sectors by including data on the relative probability of
various threat scenarios;
* In completing the National Infrastructure Protection Plan, include
target dates for completing sector-specific plans, developing
performance measures, and identifying protective measures that could
address multiple threat scenarios.
Agency Comments and Our Evaluation:
In commenting on a draft of chapter 4, DHS, including IAIP, said that
IAIP is taking steps to address recommendations in the report. In
regard to our recommendation on working with the intelligence community
to develop better threat data, DHS said it is working with the Coast
Guard on a pilot project to do so. The pilot effort will be evaluated,
improved upon, and then more broadly applied with stakeholders in the
intelligence community pending their acceptance, according to DHS. In
regard to our recommendation on developing a methodology for comparing
and prioritizing risks within and across sectors, DHS responded that
for fiscal year 2006 grants, a risk analysis methodology was applied
that considers a small set of assets across sectors. With respect to
our recommendation on completing the National Infrastructure Protection
Plan, DHS stated that a draft plan is out for comment and that the
issue of identifying protective measures that could address multiple
threat scenarios is being addressed by IAIP. DHS also submitted
technical comments under separate cover and we made changes where
appropriate. Written comments from DHS are in appendix II.
[End of section]
Chapter 5: Overall Observations and Recommendations:
Taken together, what do the efforts and experiences of these three
components suggest about where DHS is with regard to managing homeland
security efforts on the basis of risk? In our view, there are two key
overall observations related to the degree of progress made, and two
more related to next steps that need to take place. With regard to
progress made, the first observation is that while considerable effort
has been applied, much more remains to be done than has been
accomplished so far. Across all three components, the most progress has
generally been made on fundamental steps, such as conducting risk
assessments of individual assets, and the least amount of progress has
generally been made on developing ways to translate this information
into comparisons and priorities across ports or across infrastructure
sectors. Second, and closely related, progress among the three
components' efforts has varied not only with the length of time the
component has been at the job, but also with the complexity of its risk
management task. With regard to next steps that would appear to add
most value to making further progress, one key observation is that in
the short term, progress is heavily dependent on continuing to make
steady progress at improving basic policies, procedures, and methods
for risk assessments and other phases of the risk management framework
outlined in chapters 2, 3, and 4. Each component has an admittedly
difficult set of challenges ahead, but progress has to be built on
taking these incremental steps and doing them well. The final
observation is related to a critical longer-term need: more guidance,
direction, and coordination from DHS. The challenges and difficulties
associated with creating a coordinated, coherent risk management
approach to the nation's homeland security have been widely
acknowledged since the events of September 11 and the creation of DHS.
One of the presidential directives calls on DHS to provide such
guidance, but the agency has yet to do so. As individual components
begin to mature in their risk management efforts, the need for
consistency and coherence becomes even greater. Without it, the
prospects increase for efforts to fragment, clash, and work at cross
purposes.
First Observation: Much Remains to Be Done:
There is a long way to go in implementing risk management successfully
in port security--and an even longer way to go in implementing risk
management in homeland security in general. One main reason is the
sheer amount of work that must be done. Five years ago, before the
September 11 attacks, the various terrorist scenarios seemed more
remote and less certain than the hard reality brought on that day.
September 11 changed this perspective dramatically. The work involved
is immense and cuts across many jurisdictional boundaries. Federal
agencies are called on to strengthen their partnerships with one
another and to work more closely with thousands of state, local, and
industry stakeholders.
A second major reason is that applying risk management to terrorism has
no well-established precedent. Parts of the private and public sectors
have used risk management principles for decades. However, doing so in
a homeland security setting is a highly difficult task that remains in
its embryonic phases. The components we reviewed face daunting
challenges in weaving a concern for risk into the annual cycle of
management review and budget decisions. Across the federal government,
this challenge is magnified and complicated because of the number of
agencies charged with carrying out risk management. This is an
extraordinarily difficult effort with no clear road map of ways to
strategically integrate a concern for risk into management decisions.
The fact that so much work remains is not the result of inaction by
federal agencies. In the agencies and programs we examined, activities
were often extensive and wide-ranging. Some activities, such as IAIP's
attempts to develop risk assessment criteria for its comparisons across
risk sectors, have had limited success, compounding the problem. The
underlying point, however, is that this is an extraordinarily difficult
effort with no clear and direct precedent to act as a guide.
Implementing risk management in port and homeland security will take
time and care, and this challenge will require ingenuity in adopting
risk management techniques to this new application in a cost-effective
way.
The progress that has occurred to date in the agencies and programs we
examined has been primarily in the activity that most people would
perhaps associate most readily with risk management--conducting
assessments to determine what the risks are at specific ports and
facilities. While much remains to be done even there, progress has
generally been slower on ways to approach risk management
strategically--that is, with a clear set of measurable objectives, a
clear knowledge of the options available for addressing risks and the
trade-offs involved with these options, and evaluation and feedback
mechanisms for continuing to refine and strengthen the approach.
Observation Two: Progress Varies by Component and Reflects Key
Characteristics of the Component and the Scope of Its Risk Management
Efforts:
The three components we studied have made varying degrees of progress
in risk management, and to a degree their progress is related to three
main factors: how long they have been at the task, how organizationally
stable they are, and the scope of what they are trying to do. The Coast
Guard, for example, is furthest along among the three components,
reflecting in part where it stands in relationship to all three of
these factors. It has been at the task the longest of the three
components, having begun work on implementing risk management in its
port security efforts immediately after the September 11 attacks. Its
primary risk assessment tool at the port level, PS-RAT, was implemented
in November 2001, and by August 2002, prior to the creation of DHS and
the port security framework called for under the Maritime
Transportation Security Act of 2002, it had begun security assessments
at major U.S. ports. To a degree, these early efforts were learning
experiences that required changes, but the Coast Guard was able to
build on its early start. The Coast Guard also had the greatest
organizational stability of the three components. It moved into DHS as
an already established entity with an organizational culture spanning
decades, and its organization and mission were not significantly
altered by moving into DHS. Finally, with regard to the scope of its
risk management activities, the Coast Guard's work is specific to port
locations, where it has direct and primary responsibility for carrying
out security responsibilities. With its focus on ports, the Coast Guard
does not have to address a number of the critical infrastructure
sectors laid out in national preparedness policy, such as banking and
finance, information and technology, and public health. Even so, the
Coast Guard's experience to date shows that as the scope of activity
widens, even within a single sector, complexities develop. For example,
the Coast Guard has prioritized risks within individual ports, and it
has actions under way to assess risks across ports, but using this
information to strategically inform the annual program review and
budget process will require further attention.
ODP has made somewhat less progress than the Coast Guard. Relative to
the Coast Guard's progress, its progress reflects a later start, an
organization with much less institutional maturity, and a different
role from the Coast Guard's in that ODP provides grant money rather
than directly setting security policy. ODP was transferred from the
Department of Justice to the Department of Homeland Security in 2003.
While ODP's early grant approval efforts had some risk management
features in place, its main strides in risk management have come in the
procedures recently adopted for the fiscal year 2005 grants. In moving
toward risk management, ODP has found ways to allow information from
the Coast Guard and IAIP to inform its decision making. This is an
encouraging and important sign, because the success of risk management
efforts depends in part on the ability of agencies with security
responsibilities to share and use each others' data and expertise.
Although both the Coast Guard and the port security grant program
administered by ODP have port security as their focus, ODP's more
limited scope of responsibility has also had an effect on its risk
management efforts. First, because ODP's role is to award grants that
support federal priorities in port security, its progress in risk
management depends to a degree on the progress made by federal agencies
in determining what their own port security performance measures should
be. Second, ODP's funding priorities are subject to criteria other than
risk, as the fiscal year 2004 grant awards demonstrate. That year,
after creating an initial list of awardees based in part on risk, and
without regard to ability to pay, ODP extensively revised the list and
awarded grants to entities considered to have fewer funding
alternatives.
Of the three components, IAIP is the least far along in its risk
management efforts. All three factors have had an effect on this
progress: IAIP has been at its task for a relatively short time; it is
a new component; and relative to the Coast Guard and ODP, the scope of
its efforts is much broader and more difficult. IAIP was created under
the Homeland Security Act of 2002, giving the directorate little time
to acquire institutional maturity. In addition to taking on difficult
tasks like risk management, IAIP faces other institutional challenges,
such as establishing new management systems, developing sound human
capital practices, and integrating its efforts with those of the rest
of DHS. Further, the scope of its risk management activities extends
well beyond the port-focused activities of the Coast Guard or ODP. IAIP
is responsible for conducting risk assessments for every critical
infrastructure segment in the nation. As demonstrated by the experience
of its RAMCAP methodology for comparing risk across sectors, IAIP
remains challenged in meeting that responsibility. Its lack of progress
reflects the same lesson that emerges from the Coast Guard's experience
in trying to expand the focus of risk assessments beyond a single port:
The complexity of risk management appears to grow exponentially as the
focus expands beyond a single location or single type of
infrastructure. This complexity may help explain IAIP's lack of
progress, but IAIP is unable at this time to provide adequate assurance
to Congress or the country that the federal government is in a position
to effectively manage risk in national security efforts. Steps have
been small; by far the biggest work is yet to come.
Observation Three: In the Short Term, Further Progress Is Still Heavily
Dependent on Completing and Improving Basic Policies, Procedures, and
Methods:
Acknowledging that the nation still has far to go in establishing a
sound risk management approach to security should not obscure the need
to continue taking small, but critical, steps--building on incremental
advances. The three components we reviewed have actions under way to
improve their risk management approach, and their experience indicates
that much of the immediate work should remain focused on basic steps
needed to implement all components of the full risk management
framework. The recommendations we make in chapters 2, 3, and 4 include
component-specific steps for what needs to be done. In overview, these
specific recommendations cluster around several major themes related to
the five phases:
* Setting strategic goals, objectives, and constraints: While all three
components have broad-scale goals in place, none has yet tied these
goals to specific and measurable results. Without such measures, it is
difficult to gauge what progress has been made in improving security
and what security gaps remain. The Coast Guard is furthest along: It
has tied its goals to activity levels, such as the number of patrols
conducted or vessels inspected, and it is working toward developing
outcome-based measures. This is a good step, but without such measures
in place, it is not possible to see how programs reduce risks, improve
security, or identify gaps in security that remain. All three
components would benefit from specifying in clear and measurable terms
what their efforts are designed to accomplish.
* Conducting risk assessments: All three components can improve their
risk assessment techniques. All three were challenged by a general lack
of detailed information on capabilities and intentions of terrorist
groups as this relates to various threat scenarios. They took different
approaches in response: The Coast Guard, for example, used threat
scenarios as substitutes for detailed threat information and is working
on assigning likelihood to each in order to determine where risks might
be greatest, while IAIP evaluated the consequences of certain possible
attacks and focused its analysis of vulnerabilities on the attacks with
the greatest consequences. Approaches that do not include information
on the likelihood of various threat scenarios have limitations that
affect the degree to which agencies are able to determine how to best
focus their efforts on areas of greatest risk. Efforts to strengthen
both data, methodology, and policy would increase the reliability of
their results.
* Evaluating alternatives: All three components face problems in
measuring the costs and benefits of different measures for preventing
or mitigating terrorist attacks. These include developing ways to
measure costs incurred by a broad range of public and private
stakeholders and developing ways to measure benefits (such as
deterrence) when these benefits may not be quantifiable. These
difficulties are particularly great for IAIP, which must be able to
measure costs and benefits associated with mitigation strategies that
reduce vulnerabilities at critical infrastructure in all sectors. These
difficulties are compounded by the complexity in valuing costs and
benefits in the area of homeland security when either the costs or the
benefits are difficult to quantify or are not valued in monetary terms.
* Management selection: The three components face different challenges
in this area, because each has different types of alternatives
available in making decisions. The Coast Guard has the most direct
control over security efforts; it can, for example, decide what
protective measures to take with its own assets, and it has authority
over other stakeholders to implement the Maritime Transportation
Security Act of 2002. Its challenges lie mainly in what has already
been discussed above--strengthening methods for risk assessment and
alternatives evaluation and integrating this effort with the annual
cycle of program review--so that management can make the most informed
decisions about these efforts. ODP affects security efforts less
directly; it can only consider facilities that have applied for grants,
and it has no direct authority over port facilities in general, as does
the Coast Guard. ODP has worked with the Coast Guard to receive its
input into the grant application process. One challenge is to
consistently apply criteria for management selection in a more
transparent way. IAIP faces the most challenges in this area, because
once it makes recommendations about how to prioritize assets on a
national scale, it is largely dependent on the actions of others to
carry them out and, particularly for owners and operators of private
infrastructure, is dependent to a large degree on persuasion, market
forces, or the work of regulatory agencies that have authority over key
infrastructure, to ensure that protective measures are in place.
* Implementation and monitoring: Particularly for the Coast Guard and
ODP, we have been able to identify instances in which the components
have moved aggressively to improve their risk management approaches--
and to continue doing so. Particularly with its recent setback on its
RAMCAP methodology, IAIP is considerably behind these two components in
implementing any kind of risk management approach. To move forward, it
must overcome more basic problems with assessing risks and
alternatives.
Observation Four: In the Long Term, Progress Rests Heavily on a Level
of Coordination That Has Yet to Be Demonstrated:
In the long term, progress will become increasingly dependent on how
well the nation's homeland security risk management effort is
coordinated. We have identified and reported on some notable
improvements in coordination at the port level, through such mechanisms
as intelligence fusion and coordination centers, local area maritime
security committees, and interagency operational centers.[Footnote 67]
Replicating such coordination among DHS agencies and with state, local,
and industry stakeholders is key.
Currently, various assessment approaches are being used, and in many
ways, these approaches are neither consistent nor comparable. Our work
at IAIP, the Coast Guard, and ODP showed examples of these
inconsistencies. For example, IAIP's initial plans called for treating
all threat scenarios as equally likely to happen, while the Coast Guard
and ODP are attempting to integrate the likelihood of various threat
scenarios into their analysis vulnerabilities. The danger in using
different methods is that if agencies develop systems and methodologies
without some overall coordination, they may end up with redundant or
incompatible systems that have little or no ability to inform one
another. Even more important, these systems may provide decision makers
with unreliable or incomplete data on how to allocate resources and
protect the American people in a cost-effective way. Absolute
compatibility is likely impossible given the multiple stakeholders at
the federal, state, local, and industry levels. For example, owners and
operators of critical infrastructure may value and act on risks
differently than the Coast Guard and IAIP. Having a common risk
management framework is a key consideration for assuring that knowledge
and data can be transferred to all stakeholders, while permitting
stakeholders to value risks in different ways. Even if agencies and
stakeholders were working in close cooperation, lack of coordination is
likely only to exacerbate the problem. This is particularly true given
the difficulty of the task and the limited availability of federal risk
management guidance.
Until now, having such inconsistencies may have seemed less important
than just getting risk management efforts under way. To a degree, we
found this was the case with the larger universe of homeland security
actions: When we first began reviewing agency actions shortly after the
September 11 attacks, we found agencies at work on many efforts, but
signs of coordination problems were already apparent. Similarly, the
risk management efforts that have been conducted to date appear fueled
by a strong sense of the need to make some headway, with coordination
and consistency a lesser concern. For example, IAIP, which is charged
by statute with developing comprehensive assessments of the
vulnerabilities of critical infrastructure and key resources, did not
attempt to guide the Coast Guard's efforts in setting up a methodology
for assessing port-specific risks. IAIP officials told us it was more
important for the Coast Guard and other agencies to proceed with their
risk assessment efforts than to delay starting, even though the
officials recognized that these efforts might create approaches that
would not mesh cleanly with the approach that IAIP would eventually
develop. Given what has occurred to date, this course of action appears
prudent, in that the Coast Guard has a considerable portion of a risk
management system in place. If it had waited to begin until guidelines
and policies had been set, it would still be waiting to start.
Now, however, the need for coordination is looming larger. IAIP has a
significant role to play in this regard through its responsibility for
providing agencies with guidance about risk management, but it has made
limited progress. IAIP has been challenged in establishing uniform
policies, approaches, guidelines, and methodologies for integrating
federal infrastructure protection and risk management activities within
and across sectors, along with metrics and criteria for related
programs and activities as called for by HSPD-7. While IAIP has
coordinated its activities with entities such as ODP and the Coast
Guard, it has yet to issue policies, guidelines, and methodologies as
required by the directive. Making progress with regard to this
challenge is key to an effective use of risk management resources, as
the National Strategy for the Physical Protection of Critical
Infrastructure and Key Assets recognizes.
Guidance is also important when agencies integrate a concern for risk
into the annual cycle of program and budget review. Doing so within an
agency is a difficult task in that traditional ways of reviewing
budgets and programs often rely on program data that call for
continuing or expanding a program without examining the relative risks
that are addressed with the funds that are expended. Shifting
organizations toward this nexus of using risk-based data as part of
annual management review cycles will take time, attention, and
leadership. Even in agencies where much progress has been made in
developing risk management techniques, integrating disparate systems
such as risk management with budget and program management remains a
long-term challenge. The Secretary of DHS has said that operations and
budgets of its agencies will be reviewed through the prism of risk, but
doing this is made difficult by the level of guidance and coordination
that has been provided so far.
DHS has recently reorganized, and the consideration of whether its new
organization will effectively implement its risk management
responsibilities is an important one. At the time we conducted our
review, risk management was the responsibility of IAIP. IAIP's risk
management efforts were focused mainly on assessing and reducing the
vulnerabilities that exist in and around specific facilities or assets.
But DHS's responsibility is broader than this: besides assessing and
reducing vulnerabilities at specific facilities, it also includes
preventing attacks from occurring (and in the process protecting people
and critical infrastructure) and responding to and recovering from
natural disasters and acts of terrorism. This initial focus on
vulnerabilities at specific assets had the potential of limiting DHS's
ability to achieve the broader goal of using risk-based data as a tool
to inform management decisions on all aspects of its missions. The
Secretary of DHS has now moved risk management to a new Preparedness
Directorate. Although, it is unclear how such a move could affect DHS's
ability to carry out its risk management responsibilities, the new
focus on preparedness may result in an emphasis that may go too far the
other way--that is an emphasis on protection of specific assets and
response and recovery at the expense of prevention. As DHS goes
forward, the office in which the risk management responsibility resides
should have a broad perspective across the department's entire mission
as well as the necessary authority to hold DHS component agencies
responsible for carrying out risk management activities in a
coordinated and consistent manner.
Beyond DHS, integrating risk with existing systems for budget and
program review is complicated by the fact that while IAIP has
responsibility for coordinating this effort, IAIP and the Secretary of
DHS are challenged because they must depend on others to follow risk
management principles for programs and budgets at the other six major
Departments or agencies that have been charged with assessing risks
under HSPD-7. In regard to this situation, OMB has taken the position
that this is what the Homeland Security Act and HSPD-7 call for and it
does not play a role in this process. These conditions increase the
uncertainty of implementing risk management across federal agencies in
a way that informs program and budget review processes. Whether such
practices will occur within the executive branch is unclear because of
these organizational barriers.
Recommendations for Executive Action:
To strengthen individual agency efforts to implement a risk management
approach to homeland security activities, we recommend that the
Secretary of Homeland Security direct the Undersecretary for IAIP to
undertake the following three actions:
* As required by presidential directive, establish uniform policies,
approaches, guidelines, and methodologies for integrating federal
infrastructure protection and risk management activities within and
across sectors, along with metrics and criteria for related programs
and activities and develop a timetable for completing such guidance.
Such policies and guidance should address the issue of integrating risk
management systems into existing systems of program and budget review.
* As DHS continues to review its organizational structure, work with
the Secretary's office to determine which office is best suited to help
ensure that the responsibility for risk management policy and
implementation has a broad enough perspective on all elements of risk,
including threats, as well as the necessary authority to coordinate
with DHS component agencies and hold them accountable for risk
management activities.
* Work with the Office of Management and Budget to examine options for
holding departments and agencies accountable for integrating risk
management for homeland security programs and activities into the
annual cycle of program and budget review.
Agency Comments and Our Evaluation:
In commenting on a draft of chapter 5, DHS, including IAIP, generally
concurred with the recommendations. In regard to our observation that
there is a long-term need for guidance and coordination, DHS noted that
as part of the department's second-stage review, a six-point agenda has
been created to ensure that policies, operations, and structures are
best aligned to address potential threats. This agenda is a major step
in the right direction, and as we observe in this chapter, much work
remains to be done to translate this goal into actions.
DHS agrees that the application of risk management to domestic
terrorism has no precedent, and that the probabilities and consequences
of terrorist acts are difficult to predict. DHS also concurred with our
observation that the scope of establishing a risk management framework-
-a former IAIP Directorate responsibility--across the federal
government is immense. DHS acknowledges that IAIP's progress has been
limited in part because its risk assessment responsibilities span broad
sectors of the nation's infrastructure rather than seaports alone. DHS
also submitted written comments under separate cover and we revised the
report where appropriate. Written comments from DHS are in appendix II.
[End of section]
Appendix I: A Risk Management Framework:
This appendix describes how we developed the risk management framework
and how we used it to evaluate activities related to homeland security
and combating terrorism. The framework is intended to be a starting
point for risk management activities and will likely evolve as
processes mature and lessons are learned. A glossary is included at the
end of this appendix.
General Lack of Uniform Guidance on Risk Management:
Although the Homeland Security Act and subsequent strategies advocate
the use of risk management to protect the nation's critical
infrastructure and key resources, they did not define how this was to
be accomplished. Homeland Security Presidential Directive 7 (HSPD-7)
directed the Secretary of the Department of Homeland Security (DHS) to
establish uniform policies, approaches, guidelines, and methodologies
integrating federal infrastructure protection and risk management
activities. However, no further direction or guidance as to the course
of action has been forthcoming.
The ability to anticipate future happenings and to choose among
alternatives lies at the heart of risk management and provides us with
a guide, based on good management practices and supported by
established internal controls that can enhance decision making.
Although risk management has long been used for assessing risk in some
sectors, such as environmental issues, health care, finance, and the
insurance industry, the application of risk management principles to
the homeland security area is relatively new. The many areas and
activities under homeland security provide untested and difficult
challenges because the source of the risk is an intelligent adversary
with whom there exists little domestic experience. As a result, the
probabilities and consequences of a terrorist attack are difficult to
predict. In spite of this high degree of uncertainty and the knowledge
that not all risk can be eliminated, enhancing protection from known or
potential threats can help prevent or mitigate adverse events.
Methodology for Developing a Risk Management Framework:
Given that there is no established universally agreed upon set of
requirements or processes for a risk management framework specifically
related to homeland security and combating terrorism, we developed a
framework that would be applicable by reviewing, analyzing, and
synthesizing several sources of information.
We began by reviewing current risk literature and previous GAO reports
and testimonies.[Footnote 68] We consulted the Government Performance
and Results Act (GPRA) of 1993; the Government Auditing Standards, 2003
Revision, GAO's Standards for Internal Control in the Federal
Government (November 1999); guidance from the Office of Management and
Budget (OMB); the work of the President's Commission on Risk
Management; consulting papers; and the enterprise risk management
approach of the Committee of Sponsoring Organizations (COSO) of the
Treadway Commission. In addition, we consulted with experts in the
fields of risk management, risk modeling, and terrorism. We reviewed
numerous frameworks from industry, government, and academic sources.
We synthesized information from these numerous government, industry,
and academic sources in developing our risk management framework. The
framework was field-tested on several GAO reviews. The draft framework
was then reviewed by three academic experts in risk management. No
substantial changes to the draft framework were recommended.
A Risk Management Framework:
The framework should be considered to be a starting point in a field
that is evolving, and the entire cycle of risk management activities
should be viewed as a goal. The phases contained in the framework are:
* strategic goals, objectives, and constraints;
* risk assessment;
* alternatives evaluation;
* management selection; and:
* implementation and monitoring.
The framework has been developed so that individual phases of the
approach, such as risk assessment, do not become ends in themselves,
but provide a full cycle of related activities, from strategic planning
through implementation and monitoring. The process is dynamic, and
although the various phases appear linear, new information can be
entered at any phase. The framework can be used to inform agency
officials and decision makers of the basic components of a risk
management system or can be used as a stand-alone guide. Figure 4
illustrates our risk management framework and some sources of criteria,
such as GAO best practices, Office of Management and Budget circulars,
GAO guidance on internal controls, and the Government and Performance
Act of 1993 and their link with management processes. While statistical
methods and risk-ranking approaches frequently underlie risk assessment
approaches, different application areas tend to develop their own
terminologies and their own logical sequences for the cause of risk.
Figure 4: Sources of Evaluation Criteria Associated with Risk
Management Phases:
[See PDF for image]
[End of figure]
The risk management framework is designed to be flexible, in that the
approach may be applied at various organizational levels ranging from
that of a department level of a multiagency organization down to that
of a specific project or program.
Because there is no one uniformly accepted approach to risk management,
terms and activities may differ across applications. However, any
approach that omits the substance of the steps shown in figure 4 is
likely to have material weaknesses. Table 11 summarizes the phases of
our risk management framework and provides examples of elements
contained in those phases.
Table 11: A Risk Management Framework:
Phase: Strategic goals, objectives, and constraints;
Description: Addresses what the strategic goals are attempting to
achieve and the steps needed to attain those results;
Example of elements:
* Overall results desired, i.e., "end state";
* Hierarchy of strategic goals and subordinate objectives related to
those goals;
* Specific activities to achieve results;
* Priorities, milestones, and outcome-related performance measures;
* Limitations or constraints that affect outcomes.
Phase: Risk assessment;
Description: Addresses identification of key elements of potential
risks so that countermeasures can be selected and implemented to
prevent or mitigate their effects;
Example of elements:
* Analysis of threat gained from available sources (This threat
information will be used to develop scenarios. See below);
* Estimation of vulnerability of an asset based on standards, such as;
* Availability/predictability;
* Accessibility;
* Countermeasures in place, and;
* Target hardness;
* Identification of consequence of a terrorist attack on a specific
asset and criticality, or the relative importance, of the asset
involved.
Phase: Alternatives evaluation;
Description: Addresses the evaluation of alternative countermeasures to
reduce risk being considered with associated costs;
Example of elements:
* Specific countermeasure(s) to reduce risk;
* Use of external sources to improve decision making such as
consultation with experts and threat scenarios;
* Cost-benefit analysis of countermeasure(s).
Phase: Management selection;
Description: Addresses where resources and investments will be made
based on alternatives evaluation and other management criteria, such as
availability of funds;
Example of elements:
* Management's preferences and value judgments associated with
expenditure of countermeasures and funds, such as distribution of
antiterrorism measures over assets;
* Organizational risk tolerance;
* Resource allocations;
* Documentation of decisions, including rationale.
Phase: Implementation and monitoring;
Description: Addresses how countermeasures will be applied and
mechanism to keep security measures updated;
Example of elements:
* Implementation of countermeasures according to strategy;
* Periodic testing of countermeasures;
* Linkages to other risk management strategies, state, local, or
private entities (horizontal);
* Linkages to other strategies, departmental and national (vertical);
* Mechanisms for alterations in system based on current threat data;
* Periodic evaluation for assessing efficiency and effectiveness of
program.
Source: GAO.
[End of table]
The following sections provide more detail on the five phases of our
risk management framework.
Strategic Goals, Objectives, and Constraints:
This phase addresses what the strategic goals are attempting to achieve
and the steps needed to attain those results, including milestones and
performance measures to permit measurement of progress toward those
goals. Ideally, management decisions should be made in the context of a
strategic plan, with clearly articulated goals and objectives that flow
from the plan. Strategic goals at the highest level could be considered
an "end-state" followed by a logical hierarchy of major goals and
subordinate objectives composed of clear, concise, measurable
activities and timelines to achieve results and ensure accountability.
An organization's program or plan and risk planning documents should
address risk-related issues that are central to its mission. Our work
related to the Government Performance and Results Act of 1993 has
produced guidance that identifies risk for the congressional oversight
of federal agencies' strategic plans.[Footnote 69] The consideration of
risk in strategic planning may be incorporated into planning documents
or into specific management strategies.
Currently, it is difficult to translate plans and actions into a clear
sense of how we are progressing in making our nation more secure. One
reason is that homeland security efforts, in general, lack clear goals
with corresponding performance measures to evaluate progress toward
these goals.[Footnote 70] As others, such as the Gilmore Commission,
have stated, a continuing problem for homeland security has been the
lack of clear strategic guidance about the definition and objectives of
preparedness.[Footnote 71]
Risk management allows entities to operate more effectively in
environments of uncertainty by providing the discipline and structure
in which to address these issues, since risk management is not an end
in itself, but an important component of an entity's management
process. As such, risk management is interrelated with, among other
things, an entity's governance, performance management, and internal
controls. The process of risk management provides the rigor and
structure necessary to identify and select among alternative risk
responses whose cumulative effect is intended to reduce risk, and the
methodologies and techniques for making selection decisions. This
process enables entities to enhance their capability to identify
potential adverse events, assess risks, and establish integrated
responses. Further, this phase in the planning process would include
support and buy-in from upper levels of management and stakeholders.
Acceptance for concepts of the model from this group provides the
groundwork for future discussions.
Finally, various constraints may have an impact on risk management
plans. Some constraints may be imposed by statute, higher-level policy,
budget, or other factors beyond management's control and may vary with
the scale of the application. Managers at different levels within an
organization will have different degrees of flexibility to institute
risk management countermeasures. An important constraint for federal
agencies, such as DHS, is the role that Congress plays in authorizing
and funding programs. For example, Congress may direct specific actions
affecting how agencies allocate funding.
Risk Assessment:
This phase addresses the process of evaluating the threats and
vulnerabilities of assets so that countermeasures might be instituted
to prevent or mitigate risks. Threat, in the risk management model,
concerns the probability that a specific type of attack will be
initiated against a specific target. It includes any circumstance or
event with the potential to cause loss or damage to the asset. Although
agencies may not have enough information to identify and characterize
all threats related to their assets, known or imagined adverse events
would be characterized in some detail. Effective threat analysis is
dependent on an understanding of an adversary's intention, motivation,
historical data, and capability to damage. An additional crucial
component of risk assessment is vulnerability, that is, any weakness
that an adversary can exploit to harm or damage the asset. An asset may
be highly vulnerable to one mode of attack but have a low level of
vulnerability to another, depending on a variety of factors, such as
countermeasures already in place. While consequence concerns the result
of an adverse event on a particular asset, criticality is the asset's
relative importance to the entity. A criticality assessment identifies
and prioritizes assets and functions in terms of specific criteria,
such as their importance to public safety and the economy, as a basis
for identifying which structures or processes are relatively more
important to protect from attack. Criticality assessments are important
because they provide, in combination with the framework's threat and
risk assessments, the basis for prioritizing which assets require
greater protection relative to finite resources and provide information
for later stages in the risk management process. Risk assessments
should utilize the most appropriate subject matter experts in assessing
the components of risk. When dealing with Bayesian probability
estimates, this is critical.[Footnote 72] In addition, mathematical
constructs must be chosen carefully, specifically tailoring approaches
in the context of uncertainty and data quality.
Alternative Evaluation:
This phase addresses the evaluation of risk reduction methods by
consideration of countermeasures or countermeasure systems and the
costs and benefits associated with them. Ideally, a risk management
framework would include an evaluation of a risk assessment as a valid
decision support tool to establish and prioritize a risk management
strategy. Furthermore, a strategy might include risk management
consultants and decision-making tools, such as software that simulates
a particular type of attack. Information developed in previous phases
would inform decisions.
Specific countermeasures would be considered and prioritized based on a
number of factors, such as the degree of risk reduction they afford and
the cost and difficulty to implement them. Risk assessment may give
guidance to implementing countermeasures or countermeasure systems that
may be used for more than one critical asset, or to prevent, mitigate,
or respond to multiple adverse events occurring simultaneously. In
addition, external risk consultants can be advantageous at this phase
in terms of creating a variety of countermeasure options. While
external reviewers cannot ensure the success of a plan, they can
increase the probability of selecting the most effective
countermeasures for the least cost because of their expertise in the
area. Further, risk scenarios might also provide valuable information
pertaining to an entity's ability to respond to a terrorist event,
evaluate its coordination with other entities, identify problems, and
institute corrective action.
Finally, a risk management strategy should include a cost-benefit
analysis of countermeasure options as they are a critical element of
alternatives evaluation. Major regulatory actions or capital
investments of federal expenditures generally require a cost-benefit or
cost-effectiveness approach.[Footnote 73] This approach can be useful
in evaluating alternatives, since it links the benefits from risk-
reducing countermeasures to the costs associated with them. In the
development of such analyses, quantitative impacts affecting both costs
and benefits are, to the extent possible, identified in monetary terms.
While the core OMB guidance for evaluating countermeasures for
budgetary and regulatory purposes focuses on monetary cost-benefit
evaluation, OMB is essentially silent when costs and benefits cannot be
easily quantified or monetized. Costs that are not generally estimated
or included in monetary terms include opportunity costs, that is, the
value of opportunities forgone because resources are applied to
antiterrorism countermeasures. These costs are most controversial when
considered in areas such as public service programs or services
curtailed or cancelled. Benefits are usually measured in terms of the
risk reduction they provide. They are considered in terms of the
overall effectiveness of the countermeasures with respect to the
estimated vulnerabilities.
Management Selection:
This phase addresses such issues as determining where resources and
investments will be made, the sources and types of resources needed,
and where those resources would be targeted. Management's active
participation in this phase is important as decisions are of necessity
influenced by the preferences and value judgments of agency leadership.
For example, some managers will prefer to concentrate countermeasures
on a relatively few critical assets, while others may value
distributional impacts, that is, to distribute resources over a wide
variety of assets. Ideally, a risk management strategy would also
identify appropriate mechanisms to allocate resources, such as grants
based on identified needs. Furthermore, a key factor in the selection
of risk reducing measures is risk tolerance, the level of comfort
management has with various levels of risk. This tolerance may change
over time, depending on new information, changes in financial
constraints, and attitude toward risk. The risk management strategy,
with stakeholder input, will identify what constitutes an acceptable
level of risk for assets and how resources are delegated.
The risk management strategy reflects consideration as to which risks
should be managed immediately and to what extent, and which risks can
be deferred and addressed at a later time. Milestones and timelines for
implementation are important elements that allow evaluating the extent
to which progress is being made toward achieving goals. It also
illustrates the degree of protection that can be obtained and places
security and costs in perspective. The documentation of management
decisions, including the rationales that support the decisions, will
provide valuable information for future adjustments.
Implementation and Monitoring:
This phase addresses the degree to which risk management strategies
contain internal controls and performance measurement guidelines. In
addition to implementing countermeasures, it may also include
implementing new organizational policies and procedures, as well as
human, physical, and technical controls. Countermeasures would be
initiated in accordance with the timelines in the risk management
schedule.
Monitoring and evaluation include, when and where appropriate, external
peer review, testing and validation of countermeasures, evaluating the
effects of these actions on future operation, and identifying
unintended consequences. GAO has also discussed the importance of these
activities as they ensure actions are taken to address risks.
Internal control monitoring should assess the quality of performance
over time and ensure that the findings of audits and other reviews are
promptly resolved.[Footnote 74] Internal controls help to ensure that
procedures are documented and maintained.
Difficulties Applying a Risk Management Framework:
Risk management represents a unique set of challenges. Developing such
a framework is designed to guide the actions of management to prepare
for and respond to adverse events in an environment of uncertainty. As
applied to homeland security, the ability to determine the likelihood
of terrorism-related events occurring and quantifying the resulting
outcomes is balanced against the benefit as protection (security)
provided at an acceptable cost.
Generally, a major difficulty in executing and implementing a risk
management system occurs because of what is commonly called decision
uncertainty, that is, the assumed goal of minimizing risk does not have
a common meaning.[Footnote 75] For example, minimizing risk is based on
values, the measure of risk, and the comparison of values and risk.
Decision uncertainty arises when there is controversy or ambiguity
concerning how to compare and weight social objectives. Three major
sources of decision uncertainty are:
* Risk measurement--although the selection of risk measurement is both
an art and a science, it must be technically correct as well as both
valid and meaningful.
* The social cost of risk--in order to make different risks comparable,
various risks often have to be quantified into comparable quantities
and placing values on cost and benefits involves judgments.
* The quantification of social values--uncertainty surrounds the level
of risk that is acceptable or can be tolerated. That is, how much money
is to be spent on protection meaning risk reduction and what is the
cost in terms of opportunities forgone because of finite resources.
This value is dependent upon determining society's risk attitude or
tolerance and may change over time.
Coordination activities suggest that for the results of a risk
management system to be meaningful and useful, all related agencies
should be using similar methods. If agencies' methods are not
compatible, then comparisons between agencies become difficult and
sector or national risk assessments becomes less reliable. In our
earlier work, we concluded that a structured, systematic approach to
risk management offers the best assurance that activities designed to
protect the homeland and combat the effects of terrorism will produce
the most effective and efficient results.[Footnote 76] Specific
difficulties implementing risk management systems are contained in
chapters 2, 3, and 4.
Glossary of Risk Management Terms:
For purposes of our risk management framework, we use the following
definitions:
* Asset---any person, facility, material, information, or activity that
has a positive or symbolic value. An asset may have a value to an
adversary as well as to its owner, although the nature and magnitude of
these values may differ. Assets may be categorized or combined in many
ways; examples are people, information, equipment, facilities,
operations, and activities.
* Benefit---net outcome, usually translated into monetary terms; a
benefit may include both direct and indirect effects.
* Consequence---the expected worse case or reasonable worse case impact
of a successful attack. The consequence to a particular asset can be
evaluated when threat and vulnerability are considered together. This
loss or damage may be long-or short-term in nature.
* Cost---input, both direct and indirect.
* Cost-benefit analysis---part of the management decision-making
process in which the costs and benefits of each countermeasure
alternative are compared and the most appropriate alternative is
selected. Costs include the price paid for tangible materials and the
ongoing operational costs associated with implementing the
countermeasures. Benefits are expressed in terms of the amount of risk
reduction based on the overall effectiveness of the countermeasure with
respect to the assessed vulnerabilities.
* Countermeasure---any action taken or physical equipment used
principally to reduce or eliminate one or more vulnerabilities. The
cost of a countermeasure is usually expressed in monetary terms but may
include nonmonetary costs such as reduced operational effectiveness,
unfavorable working conditions, adverse publicity and political
consequences.
* Criticality assessment---identifies and evaluates an entity's assets
or operations on the basis of a variety of factors, including the
importance of an asset or function and the significance of a system in
terms of national security, economic activity, and public safety. A
criticality assessment provides the basis for determining which assets
require greater or special protection relative to finite resources.
* Impact---the amount of loss or damage that can be expected from a
successful attack on an asset. Loss may be monetary, but may include
loss of lives and destruction of a symbolic structure.
* Monitoring and evaluation---is a continuous repetitive assessment
process to keep a risk management process current and relevant. It
includes, among other activities, external peer review, testing, and
validation.
* Opportunity cost--the value of opportunities forgone.
* Risk--an event that has a potentially negative impact and the
possibility that such an event will occur and adversely affect an
entity's assets, activities, and operations. The principal classes of
risk from terrorism are to the general public, targets of symbolic
value, organizational, governmental, and societal infrastructure, cyber
and physical infrastructure, and economic sectors and structures.
* Risk assessment---the process of qualitatively or quantitatively
determining the probability of an adverse event and the severity of its
impact on an asset. It is a function of threat, vulnerability, and
consequence. A risk assessment may include scenarios in which two or
more risks interact to create a greater or lesser impact. A risk
assessment provides the basis for the rank ordering of risks and for
establishing priorities for applying countermeasures.
* Risk management---a continuous process of managing--through a series
of mitigating actions that permeate an entity's activities--the
likelihood of an adverse event and its negative impact. Risk management
addresses risk before mitigating action, as well as the risk that
remains after countermeasures have been taken.
* Scenario---the combination of weapon and attack mode on a specific
target or critical asset (for example, the release of sarin gas in a
subway train).
* Threat---an indication of the likelihood that a specific type of
attack will be initiated against a specific target or class of targets.
It may include any indication, circumstance, or event with the
potential to cause the loss of or damage to an asset. It can also be
defined as an adversary's intention and capability to undertake actions
that would be detrimental to a valued asset.
* Threat assessment---the identification and evaluation of adverse
events that can harm or damage an asset. A threat assessment includes
the probability of an event and the extent of its lethality. Threats
may be present at the global, national, or local level.
* Vulnerability---the probability that a particular attempted attack
will succeed against a particular target or class of targets.
* Vulnerability assessment---the identification of weaknesses in
physical structures, personal protection systems, processes or other
areas that may be exploited. A vulnerability assessment identifies
inherent states and the extent of their susceptibility to exploitation
relative to the existence of any countermeasures.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
November 23, 2005:
Ms. Margaret T. Wrightson:
Director, Homeland Security and Justice:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Ms. Wrightson:
RE: Draft Report GAO-06-91, Risk Management: Further Refinements Needed
to Assess Risks and Prioritize Protective Measures at Ports and Other
Critical Infrastructure (GAO Job Code 440378):
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the Government Accountability Office's (GAO)
draft report. The report describes the challenges faced by the
Department and its components, specifically the U.S. Coast Guard
(USCG), Office of Domestic Preparedness (ODP), and the Information
Analysis and Infrastructure Protection (IAIP) Directorate. The report
focuses on these three components and was not a comprehensive review of
the entire Department. Nevertheless, the report provides information
and a perspective on the degree of progress being made within the
Department. We note that as a result of a recent reorganization ODP
(now Grants and Training) and the Infrastructure Protection (IP) part
of the former IAIP Directorate are now components in the Preparedness
Directorate.
We appreciate the acknowledgement of the work performed to date,
particularly at the USCG and ODP and the challenges faced by the three
components and the Department in fulfilling our mission. The draft
report correctly articulates that the application of risk management to
domestic terrorism has no precedent, and that the probabilities and
consequences of terrorist acts are difficult to predict. Indeed, as
noted in the report, the scope of establishing a risk management
framework--a former IAIP Directorate responsibility--across the federal
government to protect the nation's critical infrastructure and key
resources is immense. IAIP's progress has been limited in part because
its risk assessment responsibilities span broad sectors of the nation's
infrastructure, rather than seaports alone.
We generally concur with the recommendations that are essentially
directed to USCG, ODP, and IAIP. While no recommendations are directed
specifically to the Department, the auditors observed that there is a
long term need for more guidance and coordination from the Department
level, both to help ensure that individual components are carrying out
their roles effectively and to ensure that individual components work
as effectively as possible with one another. As part of the
Department's Second Stage Review, a six point agenda has been created
to ensure that our policies, operations, and structures are best
aligned to address potential threats. The review, initiated by the
Secretary, examined nearly every element of the Department of Homeland
Security in order to recommend ways that DHS could better:
* Manage risk in terms of threat, vulnerability and consequence;
* Prioritize policies and operational missions according to this risk-
based approach; and:
* Establish a series of preventive and protective steps that would
increase security at multiple levels.
USCG officials generally agree with the findings and recommendations.
As noted in the draft, USCG has made progress in all five risk
management phases and is taking action to address the challenges it
faces in each phase.
The recommendations addressed to the Executive Director for ODP
relating to the Port Security Grant (PSG) program are reasonable if
taken in context. Most of GAO's review took place prior to significant
changes made to the program in FY 2005. We appreciate your effort to
review some of the FY 2005 PSG programmatic materials and include some
analysis of FY 2005 in the report after most of your work was
completed. However, while there is obviously an understanding of at
least the modifications made in the grant guidance, many of the
examples and criticisms continue to be derived from analysis of the FY
2004 program. Several of the comments and recommendations have already
been addressed, including the comparison of risk across ports and
clarification of the conditions under which greater leveraging of
federal dollars should be included as a strategic goal. We anticipate
that the remaining ODP related recommendations will be addressed in the
FY 2006 PSG program at least to the extent possible given the
limitations correctly noted by GAO. ODP officials encourage GAO to
revisit the program in the spring of 2006.
IP is taking the following steps as part of its effort to address
recommendations made in the report:
* The intelligence community task is being pursued in a collaborative
pilot with the USCG, which will be evaluated, improved upon, and them
more broadly applied within the intelligence community pending their
acceptance.
* The FY 2006 grants were prioritized with a risk analysis methodology
that was applied considering a small set of assets (less than 50 types)
across sectors, and applying the current state of threat assessments.
* The National Infrastructure Protection Plan is out for comment. The
issue of identifying protective measures that could address multiple
threat scenarios is being addressed by IP, as opposed to Sector
Specific Agency guidance. It is a cross sector issue that is being
considered in the developing cost/benefit framework.
Technical comments will be sent under separate cover.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Margaret T. Wrightson (415) 904-2200:
Stephen L. Caldwell (202) 512-9610:
Staff Acknowledgments:
In addition to the persons named above, David Alexander, Neil Asaba,
Nancy A. Briggs, Christine Davis, Scott Farrow, Kevin Heinz, Emily S.
Pickrell, Albert Schmidt, Stan Stenersen, April Thompson, and L. James
Valverde made key contributions to this report.
[End of section]
Related GAO Products:
Critical Infrastructure Protection:
Critical Infrastructure Protection: Challenges in Addressing
Cybersecurity. GAO-05-827T. Washington, D.C.: July 19, 2005:
Critical Infrastructure Protection: Department of Homeland Security
Faces Challenges in Fulfilling Cybersecurity Responsibilities. GAO-05-
434. Washington, D.C.: May 26, 2005.
Homeland Security: Agency Plans, Implementation, and Challenges
Regarding the National Strategy for Homeland Security. GAO-05-33.
Washington, D.C.: January 14, 2005.
Homeland Security: Further Actions Needed to Coordinate Federal
Agencies' Facility Protection Efforts and Promote Key Practices. GAO-
05-49. Washington, D.C.: November 30, 2004.
U.S. Postal Service: Physical Security Measures Have Increased at Some
Core Facilities, but Security Problems Continue. GAO-05-48. Washington,
D.C.: November 16, 2004.
Drinking Water: Experts' Views on How Federal Funding Can Best Be Spent
to Improve Security. GAO-04-1098T. Washington, D.C.: September 30,
2004.
Financial Market Preparedness: Improvements Made, but More Action
Needed to Prepare for Wide-Scale Disasters. GAO-04-984. Washington,
D.C.: September 27, 2004.
Nuclear Regulatory Commission: Preliminary Observations on Efforts to
Improve Security at Nuclear Power Plants. GAO-04-1064T. Washington,
D.C.: September 14, 2004.
U.S. Postal Service: Better Guidance Is Needed to Ensure an Appropriate
Response to Anthrax Contamination. GAO-04-239. Washington, D.C.:
September 9, 2004.
Public Key Infrastructure: Examples of Risk and Internal Control
Objectives Associated with Certification Authorities. GAO-04-1023R.
Washington, D.C.: August 10, 2004.
Combating Terrorism: DOD Efforts to Improve Installation Preparedness
Can Be Enhanced with Clarified Responsibilities and Comprehensive
Planning. GAO-04-855. Washington, D.C.: August 9, 2004.
Homeland Security: Transformation Strategy Needed to Address Challenges
Facing the Federal Protective Service. GAO-04-537. Washington, D.C.:
July 14, 2004.
Critical Infrastructure Protection: Improving Information Sharing with
Infrastructure Sectors. GAO-04-780. Washington, D.C.: July 9, 2004.
Information Security: Agencies Need to Implement Consistent Processes
in Authorizing Systems for Operation. GAO-04-376. Washington, D.C.:
June 28, 2004.
National Nuclear Security Administration: Key Management Structure and
Workforce Planning Issues Remain as NNSA Conducts Downsizing. GAO-04-
545. Washington, D.C.: June 25, 2004.
Nuclear Security: Several Issues Could Impede Ability of DOE's Office
of Energy, Science, and Environment to Meet the May 2003 Design Basis
Threat. GAO-04-894T. Washington, D.C.: June 22, 2004.
Information Security: Information System Controls at the Federal
Deposit Insurance Corporation. GAO-04-630. Washington, D.C.: May 28,
2004.
Posthearing Questions Related to Fragmentation and Overlap in the
Federal Food Safety System. GAO-04-832R. Washington, D.C.: May 26,
2004.
Terrorism Insurance: Effects of Terrorism Risk Insurance Act of 2002.
GAO-04-720T. Washington, D.C.: April 28, 2004.
Nuclear Security: DOE Needs to Resolve Significant Issues before It
Fully Meets the New Design Basis Threat. GAO-04-623. Washington, D.C.:
April 27, 2004.
Terrorism Insurance: Implementation of the Terrorism Risk Insurance Act
of 2002. GAO-04-307. Washington, D.C.: April 23, 2004.
Critical Infrastructure Protection: Establishing Effective Information
Sharing with Infrastructure Sectors. GAO-04-699T. Washington, D.C.:
April 21, 2004.
Homeland Security: Federal Action Needed to Address Security Challenges
at Chemical Facilities. GAO-04-482T. Washington, D.C.: February 23,
2004.
Posthearing Questions from the September 17, 2003, Hearing on
"Implications of Power Blackouts for the Nation's Cybersecurity and
Critical Infrastructure Protection: The Electric Grid, Critical
Interdependencies, Vulnerabilities, and Readiness." GAO-04-300R.
Washington, D.C.: December 8, 2003.
Security: Counterfeit Identification Raises Homeland Security Concerns.
GAO-04-133T. Washington, D.C.: October 1, 2003.
Nuclear Regulatory Commission: Oversight of Security at Commercial
Nuclear Power Plants Needs to Be Strengthened. GAO-03-752. Washington,
D.C.: September 4, 2003.
Nuclear Security: DOE Faces Security Challenges in the Post September
11, 2001, Environment. GAO-03-896TNI. Washington, D.C.: June 24, 2003.
Nuclear Security: NNSA Needs to Better Manage Its Safeguards and
Security Program. GAO-03-471. Washington, D.C.: May 30, 2003.
Information Security: Progress Made, but Challenges Remain to Protect
Federal Systems and the Nation's Critical Infrastructures. GAO-03-564T.
Washington, D.C.: April 8, 2003.
Homeland Security: EPA's Management of Clean Air Act Chemical Facility
Data. GAO-03-509R. Washington, D.C.: March 14, 2003.
Homeland Security: Voluntary Initiatives Are Under Way at Chemical
Facilities, but the Extent of Security Preparedness Is Unknown. GAO-03-
439. Washington, D.C.: March 14, 2003.
Potential Terrorist Attacks: Additional Actions Needed to Better
Prepare Critical Financial Market Participants. GAO-03-414. Washington,
D.C.: February 12, 2003.
Potential Terrorist Attacks: More Actions Needed to Better Prepare
Critical Financial Markets. GAO-03-468T. Washington, D.C.: February 12,
2003.
Potential Terrorist Attacks: Additional Actions Needed to Better
Prepare Critical Financial Market Participants. GAO-03-251. Washington,
D.C.: February 12, 2003.
High-Risk Series: Protecting Information Systems Supporting the Federal
Government and the Nation's Critical Infrastructures. GAO-03-121.
Washington, D.C.: January 1, 2003.
Combating Terrorism: Actions Needed to Guide Services' Antiterrorism
Efforts at Installations. GAO-03-14. Washington, D.C.: November 1,
2002.
Homeland Security: Department of Justice's Response to Its
Congressional Mandate to Assess and Report on Chemical Industry
Vulnerabilities. GAO-03-24R. Washington, D.C.: October 10, 2002.
Building Security: Interagency Security Committee Has Had Limited
Success in Fulfilling Its Responsibilities. GAO-02-1004. Washington,
D.C.: September 17, 2002.
Chemical Safety: Emergency Response Community Views on the Adequacy of
Federally Required Chemical Information. GAO-02-799. Washington, D.C.:
July 31, 2002.
Critical Infrastructure Protection: Significant Homeland Security
Challenges Need to Be Addressed. GAO-02-918T. Washington, D.C.: July 9,
2002.
Information Security: Corps of Engineers Making Improvements, but
Weaknesses Continue. GAO-02-589. Washington, D.C.: June 10, 2002.
Security Breaches at Federal Buildings in Atlanta, Georgia. GAO-02-
668T. Washington, D.C.: April 30, 2002.
National Preparedness: Technologies to Secure Federal Buildings. GAO-
02-687T. Washington, D.C.: April 25, 2002.
Diffuse Security Threats: Technologies for Mail Sanitation Exist, but
Challenges Remain. GAO-02-365. Washington, D.C.: April 23, 2002.
Terrorism Insurance: Rising Uninsured Exposure to Attacks Heightens
Potential Economic Vulnerabilities. GAO-02-472T. Washington, D.C.:
February 27, 2002.
Critical Infrastructure Protection: Significant Challenges in
Safeguarding Government and Privately Controlled Systems from Computer-
Based Attacks. GAO-01-1168T. Washington, D.C.: September 26, 2001.
Combating Terrorism: Actions Needed to Improve DOD Antiterrorism
Program Implementation and Management. GAO-01-909. Washington, D.C.:
September 19, 2001.
Critical Infrastructure Protection: Significant Challenges in
Protecting Federal Systems and Developing Analysis and Warning
Capabilities. GAO-01-1132T. Washington, D.C.: September 12, 2001.
Maritime Security:
Coast Guard: Progress Being Made on Addressing Deepwater Legacy Asset
Condition Issues and Program Management, but Acquisition Challenges
Remain. GAO-05-757. Washington, D.C.: July 22, 2005.
Coast Guard--Electronic Certification Procedures. B-302789. Washington,
D.C.: July 6, 2005:
Coast Guard: Preliminary Observations on the Condition of Deepwater
Legacy Assets and Acquisition Management Challenges. GAO-05-651T.
Washington, D.C.: June 21, 2005.
Maritime Security: Enhancements Made, but Implementation and
Sustainability Remain Key Challenges. GAO-05-448T. Washington, D.C.:
May 17, 2005.
Coast Guard: Preliminary Observations on the Condition of Deepwater
Legacy Assets and Acquisition Management Challenges. GAO-05-307T.
Washington, D.C.: April 20, 2005.
Maritime Security: New Structures Have Improved Information Sharing,
but Security Clearance Processing Requires Further Attention. GAO-05-
394. Washington, D.C.: April 15, 2005.
Coast Guard: Observations on Agency Priorities in Fiscal Year 2006
Budget Request. GAO-05-364T. Washington, D.C.: March 17, 2005.
Homeland Security: Process for Reporting Lessons Learned from Seaport
Exercises Needs Further Attention. GAO-05-17. Washington, D.C.: January
14, 2005.
Coast Guard: Station Readiness Improving, but Resources Challenges and
Management Concerns Remain. GAO-05-161. Washington, D.C.: January 31,
2005.
Port Security: Planning Needed to Develop and Operate Maritime Worker
Identification Card Program. GAO-05-106. Washington, D.C.: December 10,
2004.
Maritime Security: Better Planning Needed to Help Ensure an Effective
Port Security Assessment Program. GAO-04-1062. Washington, D.C.:
September 30, 2004.
Maritime Security: Partnering Could Reduce Federal Costs and Facilitate
Implementation of Automatic Vessel Identification System. GAO-04-868.
Washington, D.C.: July 23, 2004.
Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. GAO-04-838. Washington,
D.C.: June 30, 2004.
Coast Guard: Station Spending Requirements Met, but Better Processes
Needed to Track Designated Funds. GAO-04-695. June 14, 2004.
Coast Guard: Key Management and Budget Challenges for Fiscal Year 2005
and Beyond. GAO-04-636T. Washington, D.C.: April 7, 2004.
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March
31, 2004.
Coast Guard Programs: Relationship between Resources Used and Results
Achieved Needs to Be Clearer. GAO-04-432. Washington, D.C.: March 22,
2004.
Homeland Security: Preliminary Observations on Efforts to Target
Security Inspections of Cargo Containers. GAO-04-325T. Washington,
D.C.: December 16, 2003.
Posthearing Questions Related to Aviation and Port Security. GAO-04-
315R. Washington, D.C.: December 12, 2003.
Maritime Security: Progress Made in Implementing Maritime
Transportation Security Act, but Concerns Remain. GAO-03-1155T.
Washington, D.C.: September 9, 2003.
Container Security: Expansion of Key Customs Programs Will Require
Greater Attention to Critical Success Factors. GAO-03-770. Washington,
D.C.: July 25, 2003.
Homeland Security: Challenges Facing the Department of Homeland
Security in Balancing its Border Security and Trade Facilitation
Missions. GAO-03-902T. Washington, D.C.: June 16, 2003.
Coast Guard: Challenges during the Transition to the Department of
Homeland Security. GAO-03-594T. Washington, D.C.: April 1, 2003.
Transportation Security: Post-September 11th Initiatives and Long-Term
Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003.
Coast Guard: Comprehensive Blueprint Needed to Balance and Monitor
Resource Use and Measure Performance for All Missions. GAO-03-544T.
Washington, D.C.: March 12, 2003.
Homeland Security: Challenges Facing the Coast Guard as It Transitions
to the New Department. GAO-03-467T. Washington, D.C.: February 12,
2003.
Coast Guard: Strategy Needed for Setting and Monitoring Levels of
Effort for All Missions. GAO-03-155. Washington, D.C.: November 12,
2002.
Port Security: Nation Faces Formidable Challenges in Making New
Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002.
Combating Terrorism: Preliminary Observations on Weaknesses in Force
Protection for DOD Deployments through Domestic Seaports. GAO-02-
955TNI. Washington, D.C.: July 23, 2002.
Risk Management:
Passenger Rail Security: Enhanced Federal Leadership Needed to
Prioritize and Guide Security Efforts. GAO-05-851. September 9, 2005:
Homeland Security: Actions Needed to Better Protect National Icons and
Federal Office Buildings from Terrorism. GAO-05-790. June 24, 2005.
Protection of Chemical and Water Infrastructure: Federal Requirements,
Actions of Selected Facilities, and Remaining Challenges. GAO-05-327.
Washington, D.C.: March 28, 2005.
Transportation Security: Systematic Planning Needed to Optimize
Resources. GAO-05-357T. February 15, 2005:
Homeland Security: Agency Plans, Implementation, and Challenges
Regarding the National Strategy for Homeland Security. GAO-05-33.
January 14, 2005.
Homeland Security: Further Actions Needed to Coordinate Federal
Agencies' Facility Protection Efforts and Promote Key Practices. GAO-
05-49. November 30, 2004:
General Aviation Security: Increased Federal Oversight is Needed, but
Continued Partnership with the Private Sector is Critical to Long-Term
Success. GAO-05-144. November 10, 2004.
Air Traffic Control: System Management Capabilities Improved, but More
Can Be Done to Institutionalize Improvements. GAO-04-901. August 20,
2004:
Aviation Security: Challenges in Using Biometric Technologies. GAO-04-
785T. May 19, 2004.
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. March 31, 2004:
Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail
Security, but Significant Challenges Remain. GAO-04-598T. March 23,
2004.
Homeland Security: A Risk Management Approach Can Guide Preparedness
Efforts. GAO-02-208T. Washington, D.C.: October 31, 2001.
Homeland Security: Key Elements of a Risk Management Approach. GAO-02-
150T. Washington, D.C.: October 12, 2001.
FOOTNOTES
[1] On November 14, 2005, DHS reorganized the department. ODP and the
Infrastructure Protection part of the former IAIP Directorate are now
components in the Preparedness Directorate. We recognize the recent
organizational changes, but because ODP and IAIP carried out the work
we reviewed, we have not changed the name or organizational posture of
these DHS components in our report.
[2] The Homeland Security Act incorporates the definition of "critical
infrastructure" used in the USA PATRIOT Act of 2001, meaning "systems
and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would
have a debilitating impact on security, national economic security,
national public health or safety, or any combination of those matters."
The Homeland Security Act defines "key resources" as "publicly or
privately controlled resources essential to the minimal operations of
the economy and government." 6 U.S.C. § 101.
[3] In November 2005, DHS issued a revised Interim National
Infrastructure Protection Plan for comment.
[4] On November 14, 2005, DHS reorganized the department. ODP and the
Infrastructure Protection component of the former IAIP Directorate are
now in the Preparedness Directorate. We recognize the recent
organizational changes, but because ODP and IAIP carried out the work
we reviewed, we have not changed the name or organizational posture of
these DHS components in our report.
[5] A more precise description of risk management is that it involves a
continuous process of managing--through a series of mitigating actions
that permeate an entity's activities--the likelihood of an adverse
event and its negative impact. Risk management addresses risk before
mitigating action, as well as the risk that remains after
countermeasures have been taken. A glossary of risk management terms is
contained at the end of appendix I.
[6] GAO, Combating Terrorism: Threat and Risk Assessments Can Help
Prioritize and Target Program Investments, GAO/NSIAD-98-74 (Washington
D.C.: Apr. 9, 1998), and GAO, Combating Terrorism: Need for
Comprehensive Threat and Risk Assessments of Chemical and Biological
Attacks, GAO/NSIAD-99-163 (Washington, D.C.: Sept. 14, 1999).
[7] 6 U.S.C. 201(d)(1), (2).
[8] GAO, High-Risk Series: An Update, GAO-05-207, p.29 (Washington,
D.C.: January 2005).
[9] GAO-05-207.
[10] For reasons of security, this identification may not be public
knowledge.
[11] A countermeasure is any action taken or physical equipment used
principally to reduce or eliminate one or more vulnerabilities.
[12] The Coast Guard Port Security Risk Assessment Tool is designed to
be used by the Captains of the Ports when making risk-based analyses of
assets in their area of responsibility.
[13] U.S. Coast Guard, Maritime Sentinel: Coast Guard Strategic Plan
for Ports, Waterways, and Coastal Security (Washington D.C.: September
2005). According to Homeland Security Presidential Directive 13 on
Maritime Security Policy (Dec. 21, 2004), maritime domain means all
areas and things of, on, under relating to, adjacent to, or bordering
on a sea, ocean, or other navigable waterway, including all maritime
related activities, infrastructure, people, cargo, and vessels and
other conveyances.
[14] According to the Coast Guard, there are 30 sectors with command
centers already in place.
[15] GAO, Passenger Rail Security: Enhanced Federal Leadership Needed
to Prioritize and Guide Security Efforts, GAO-05-851 (Washington D.C.:
Sept. 9, 2005).
[16] See 46 U.S.C. § 70103(b), (c); 33 C.F.R. §§ 103.400, 103.500,
104.300, 104.400, 105.300, and 105.400.
[17] U.S. Coast Guard, Maritime Strategy for Homeland Security
(Washington, D.C.: December 2002).
[18] Any goals that the Coast Guard establishes will need to be aligned
with two other national efforts to protect critical infrastructure.
First, Homeland Security Presidential Directive-7 establishes a
national policy for federal departments and agencies to identify and
prioritize critical infrastructure and key resources, including assets
and resources in and around ports. Second, Homeland Security
Presidential Directive-13 establishes policy and guidelines for
implementing actions that enhance maritime security. The policy
includes (1) preventing terrorist attacks and reducing vulnerabilities
to attacks in the maritime domain; (2) enhancing security of ports,
critical infrastructure, and coastal approaches; (3) enhancing
international relationships; and (4) ensuring coordinated
implementation of authorities and responsibilities among federal
departments and agencies.
[19] We previously reported on two of these efforts--the area maritime
security assessments and the Port Security Assessment Program. See GAO,
Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security, GAO-04-838 (Washington D.C.:
June 30, 2004), and Maritime Security: Better Planning Needed to Help
Ensure an Effective Port Security Assessment Program, GAO-04-1062
(Washington D.C.: Sept. 30, 2004).
[20] In addition to these efforts, the Coast Guard was involved in an
interagency effort called the National Maritime Transportation Security
Plan. This effort included the results of the National Maritime
Security Profile. According to the Coast Guard, the results of the plan
will contribute to the Coast Guard's outcome measures for its PWCS
mission.
[21] The threat scenarios examined by the Coast Guard are contained in
documents that are considered sensitive and for official use only.
Accordingly, we do not provide detailed examples of various threat
scenarios evaluated by the Coast Guard.
[22] Coast Guard officials said that in addition to making improvements
in threat, vulnerability, and consequence data, they plan to align some
of their efforts more closely with Department of Homeland Security risk
assessment databases and to conduct sensitivity analyses of various
mitigation strategies.
[23] IAIP officials said that the Coast Guard's efforts are a pilot
project, and that if sufficiently mature, the effort will be more
broadly implemented by the intelligence community.
[24] Similarly, area maritime security plans are not comparable with
one another, in part because PS-RAT results underpin the plans. In
addition to the limitations we describe above, the scores for each port
are relative to that port and scores from one port cannot be compared
with the scores from another port because, in some cases, local Coast
Guard staff developed scores for asset types, such as bridges or
warehouses, and at other port locations, the local staff assigned
scores for individual types of assets. The Port Security Risk
Assessment Program conducted studies at 55 ports at a cost of about $35
million and these studies are also not comparable with one another.
[25] See Y. Y. Haimes, S. Kaplan, and J. H. Lambert, "Risk Filtering,
Ranking, and Management Framework Using Hierarchical Holographic
Modeling," Risk Analysis, Vol. 22, No. 2, 2002, and M. Leung, J. H.
Lambert, and A. Mosenthal, "A Risk-Based Approach to Setting Priorities
in Protecting Bridges Against Terrorist Attacks," Risk Analysis, Vol.
4, No. 4, 2004.
[26] The legislation enabling the port security grant program was the
Department of Defense and Emergency Supplemental Appropriations for
Recovery from and Response to Terrorist Attacks on the United States,
2002, Pub. L. No. 107-117, 115 Stat. 2230, 2327 (2002).
[27] Department of Homeland Security Appropriations Act, 2005, Pub. L.
No. 108-334, 118 Stat. 1298, 1309 (2004).
[28] Federal agency and industry partners include the United States
Coast Guard, the Information Analysis and Infrastructure Protection
Directorate, the Border and Transportation Security Directorate, and
the Transportation Security Administration within DHS; the Maritime
Administration within the Department of Transportation; and the
American Association of Port Authorities.
[29] Department of Homeland Security Appropriations Act, 2006, Pub. L.
No. 109-90, 119 Stat. 2064, 2075 (2005).
[30] Department of Homeland Security, Office of Inspector General,
Review of the Port Security Grant Program, OIG-05-10 (January 2005). In
some years, more than one round of grants has been awarded. In all,
five rounds of grants were awarded between 2002 and 2005.
[31] The Department of Defense and Emergency Supplemental
Appropriations for Recovery from and Response to Terrorist Attacks on
the United States, 2002, Pub. L. No. 107-117, 115 Stat. 2230, 2327
(2002).
[32] Homeland Security Presidential Directive 13 (Dec. 21, 2004).
[33] Office for Domestic Preparedness, U.S. Department of Homeland
Security, Fiscal Year 2005 Port Security Grant Program: Program
Guidelines and Application Kit (Washington, D.C.: 2005). The specific
national priorities cited are (1) chemical, biological, radiological,
nuclear, and explosive detection and response capabilities and (2)
National Infrastructure Protection Plan implementation.
[34] U.S. Coast Guard: Maritime Strategy for Homeland Security,
(Washington, D.C.: December 2002).
[35] In some ways, owners and operators of facilities and vessels have
set their own standards for what an acceptable level of risk is by the
security plans they have developed under the Maritime Transportation
Security Act of 2002. As required by the act, 46 U.S.C. 70103(c),
facility and vessel owners developed over 12,000 plans to reduce
vulnerabilities around their port areas. The Coast Guard required
facility and vessel owners to implement them by July 1, 2004.
[36] ODP estimates that 90 percent of facilities and vessels are owned
by industry.
[37] GAO, Federal Grants: Design Improvements Could Help Federal
Resources Go Further, GAO-AIMD-97-7 (Washington, D.C.: Dec. 18, 1996).
We include this figure here for illustrative purposes only and are not
stating that this degree of substitution would occur in the port
security grant program. For discussion of this issue in other
public/private arenas, such as federal funding for highway investments
and freight mobility projects, see GAO, Freight Transportation:
Strategies Needed to Address Planning and Financing Limitations, GAO-04-
165 (Washington, D.C.: Dec. 19, 2003); Highway and Transit Investments:
Options for Improving Information on Projects' Benefits and Costs and
Increasing Accountability for Results, GAO-05-172 (Washington, D.C.:
Jan. 24, 2005); and Freight Transportation: Short Sea Shipping Option
Shows Importance of Systematic Approach to Public Investment Decisions,
GAO-05-768 (Washington, D.C.: July 29, 2005).
[38] Department of Homeland Security Appropriations Act, 2006, Pub. L.
No. 109-90, 119 Stat. 2064, 2075 (2005). The appropriation incorporates
by reference the federal matching requirement of another federal grant
program contained at 46 U.S.C. 70107(c). The match provision allows
federal funding up to 75 percent of the total cost of the project,
unless the DHS Secretary determines that a proposed project merits
support and cannot be undertaken without a higher rate of federal
support.
[39] Fortune magazine ranks the nation's largest companies on the basis
of revenue.
[40] Management for the fiscal year 2004 program was transferred from
the Transportation Security Agency to ODP during the middle of the
process. ODP assumed full responsibility for the program in fiscal year
2005.
[41] For the 2005 program, the evaluation at the port level is managed
by the Coast Guard Captain of the Port and state officials when
feasible. Applications are reviewed against established criteria and
ranked on relative risk, with the highest rank going to applications
that support the national port security priorities.
[42] ODP defines risk as credible threats and incidents (from the
intelligence community), less credible threats and incidents
(operational indicators), and vessels of interest. It defines
vulnerability as distance from open water, number of port calls, and
presence of tankers, and it defines consequence as people, economic,
national security, and port-specific special considerations (such as
hazardous materials or oil).
[43] Although ODP has primary responsibility for administering the
grant program, the Coast Guard plays a key role in the program. Local
Captains of the Port use the PS-RAT in evaluating grant applications at
the local level, and ODP officials consult frequently with Coast Guard
officials at the national level.
[44] ODP relied on threat-related information provided by IAIP for the
fiscal year 2005 grant program.
[45] ODP worked with the Coast Guard and IAIP in developing the
consequence measures.
[46] When the port security grant program was established, according to
a program official, it was one of the first programs to use the PS-RAT
in order to identify risks. The PS-RAT has been very useful on the
local level as a means for the Coast Guard to look at relative risk to
assets within a port zone in a systematic way. In addition to being a
primary tool for the port security grant program, the PS-RAT has also
been used by members of the Area Transportation Security Committees to
interact with one another and to plan their work.
[47] ODP worked with TSA staff during the assessment process.
[48] MTSA required owners and operators of facilities and vessels to
develop and implement security plans by July 1, 2004. In all, about
12,300 plans were developed. The Coast Guard is charged with approving
the plans and ensuring owners and operators are complying with the
actions called for and determining whether all vulnerabilities have
been identified. Coast Guard compliance inspections were scheduled for
completion by July 2005. Funds requested by owners and operators may
reflect additional security measures taken that go beyond the minimum
requirements called for in the security plans or they could involve
additional technology improvements.
[49] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[50] The Homeland Security Act incorporates the definition of "critical
infrastructure" used in the USA PATRIOT Act of 2001, meaning "systems
and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would
have a debilitating impact on security, national economic security,
national public health or safety, or any combination of those matters."
The Homeland Security Act defines "key resources" as "publicly or
privately controlled resources essential to the minimal operations of
the economy and government." 6 U.S.C. § 101.
[51] See generally 6 U.S.C. 121(d).
[52] Id. 121(d)(1), (2), (3), (6).
[53] The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets identifies five key assets. The key
assets and lead federal agencies are as follows: national monuments and
icons (Department of the Interior); dams, locks, and levees (Department
of Homeland Security); government facilities (Department of Homeland
Security); commercial and community assets (Department of Homeland
Security); and nuclear reactors, materials, and spent fuel (Department
of Homeland Security, working with the Nuclear Regulatory Commission
and, as appropriate, the Department of Energy). When we use the term
"critical infrastructure" in this chapter, we are referring both to the
13 sectors and to the five key assets.
[54] The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets is complemented by the National Strategy
to Secure Cyberspace. Also issued in February 2003, the National
Strategy to Secure Cyberspace provides direction to the federal
government departments and agencies that have roles in cyberspace
security and identifies steps that state and local governments, private
companies and organizations, and individuals can take to improve
collective cybersecurity.
[55] In November 2005, DHS issued a Draft National Infrastructure
Protection Plan for comment. We did not evaluate the draft plan because
our field work had already been completed.
[56] GAO, Critical Infrastructure Protection: Challenges in Addressing
Cybersecurity, GAO-05-827T (Washington, D.C.: July 19, 2005).
[57] GAO did not analyze the data in the database and cannot comment on
the database's reliability. The Congressional Research Service has
raised a number of issues concerning the data integrity of the IAIP
asset database. See Congressional Research Service, Risk Management and
Critical Infrastructure Protection: Assessing, Integrating, and
Managing Threats, Vulnerabilities, and Consequences (Washington, D.C.:
February 2005).
[58] See 6 U.S.C.121(d)(2). IAIP considers the combination of the
threat (relative likelihood of the attack type) and vulnerability
(likelihood of the adversary's success) to represent the relative
likelihood of a successful attack occurring.
[59] While the intelligence community does rank threats, IAIP does not
find such information useful in developing data on threats.
Intelligence components of DHS and other intelligence agencies
routinely generate strategic threat assessment matrices and reports
detailing the most likely targets and modes of terrorist attack. These
assessments break down infrastructure and assets into categories and
rank them, numerically or otherwise, according to the relative
likelihood of attack within and across categories. However, IAIP
officials said that the information was not specific to individual
assets.
[60] After grouping all components of critical infrastructure by
sector, IAIP plans to ask the owners or operators to complete a
questionnaire--called a "top screen"--that provides an assessment of
consequential losses arising from a worst-case scenario that assumes
total loss of the asset. Once this information is gathered and
assessed, assets considered to be of sufficient consequence are
evaluated on vulnerability, using three elements: potential method of
attack, probability of success, and consequences of the attack
(including secondary and tertiary effects). By applying this
information to the selected subset of assets, IAIP seeks to identify
the assets of greatest vulnerability and identify strategies that hold
the greatest potential benefits. Much like the consequence assessment,
the vulnerability assessment is carried out by eliciting the opinions
of experts, usually the owner/operator, for a specific piece of
infrastructure.
[61] IAIP has plans to address the risks involved in protecting
additional critical infrastructures, such as stadiums, though a tool
called the Vulnerability, Identification, and Self-Assessment Tool.
This tool will allow owners and operators to assess vulnerabilities in
and around their facilities.
[62] IAIP and the private sector agreed that the goal of the self-
assessments was to satisfy the information needs of DHS.
[63] The eight categories of assets are commercial nuclear power
plants, commercial spent nuclear fuel facilities, chemical plants,
petroleum refineries, liquefied natural gas storage facilities, subway
systems (including bridges and tunnels), railroad systems (including
bridges and tunnels), and highway systems (including bridges and
tunnels). The vulnerability assessments for the chemical sector and
nuclear power plants were pilot projects.
[64] GAO-05-851.
[65] OMB Circulars A-11 and A-94.
[66] GAO, Critical Infrastructure Protection: Challenges for Selected
Agencies and Industry Sectors, GAO-03-233 (Washington D.C.: Feb. 28,
2003); and Homeland Security: Information Sharing Responsibilities,
Challenges, and Key Management Issues, GAO-03-715T (Washington D.C.:
May 8, 2003).
[67] GAO, Maritime Security: New Structures Have Improved Information
Sharing, but Security Clearance Processing Requires Further Attention,
GAO-05-394 (Washington, D.C.: Apr. 15, 2005).
[68] GAO, Combating Terrorism: Threat and Risk Assessments Can Help
Prioritize and Target Program Investments, GAO/NSIAD-98-74 (Washington,
D.C.: April 1998); Combating Terrorism: Evaluation of Selected
Characteristics in National Strategies Related to Terrorism, GAO-04-
408T (Washington, D.C.: Feb. 3, 2004); Rail Security: Some Actions
Taken to Enhance Passenger and Freight Rail Security, but Significant
Challenges Remain, GAO-04-598T (Washington, D.C.: Mar. 23, 2004); and
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection, GAO-04-557T (Washington, D.C.: Mar.
31, 2004).
[69] GAO, Agencies' Strategic Plans under GPRA: Key Questions to
Facilitate Congressional Review, GAO/GGD-10.1.16 (Washington, D.C.: May
1, 1997).
[70] GAO, Homeland Security: Key Elements to Unify Efforts Are Underway
but Uncertainty Remains, GAO-02-610 (Washington, D.C.: June 7, 2002).
[71] The Gilmore Commission (also known as the Advisory Panel to Assess
Domestic Response Capabilities for Terrorism Involving Weapons of Mass
Destruction), Forging America's New Normalcy (Arlington, Virginia: Dec.
15, 2003).
[72] See Yacov Y. Haimes, Risk Modeling, Assessment, and Management,
2nd ed. (Hoboken, New Jersey: Wiley and Sons, 2004).
[73] Executive Order 12866 and circulars A-4 and A-94 apply to
regulatory actions, and circulars A-11 (sect. 7), A-94, and A-130 apply
to capital investments.
[74] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1, (Washington, D.C.: November 1999).
[75] For a more detailed discussion on this topic, see Yacov Y Haimes,
Risk Modeling, Assessment, and Management, 2nd ed. (Hoboken, New
Jersey: Wiley and Sons, 2004).
[76] See for example, GAO, Homeland Security: Summary of Challenges
Faced in Targeting Oceangoing Cargo Containers for Inspection, GAO-04-
557T (Washington, D.C.: Mar. 31, 2004); Homeland Security: A Risk
Management Approach Can Guide Preparedness Efforts, GAO-02-208T
(Washington, D.C.: Oct. 31, 2001); and Key Elements of a Risk
Management Approach, GAO-02-150T (Washington, D.C.: Oct. 12, 2001).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site (www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: